yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #76854
[Bug 1814589] [NEW] Tokenless auth: ephemeral user mapping is broken
Public bug reported:
Using using an ephemeral user mapping for X.509 tokenless auth, Keystone
service will return an HTTP 500 internal error and the we'll see a
traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'
Steps to reproduce the problem:
1) Setup X.509 tokenless auth per
https://docs.openstack.org/keystone/pike/advanced-
topics/configure_tokenless_x509.html
2) Create an ephemeral user mapping. i.e.
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "ephemeral"
},
"group": {
"domain": {
"name": "Default"
},
"name": "admin"
}
}
],
"remote": [
{
"type": "SSL_CLIENT_S_DN_CN"
},
{
"type": "SSL_CLIENT_S_DN_O"
}
]
}
]
3. Use curl to test a keystone API. For example,
curl --cert user_cert.pem --key user_private_key.pem --cacert
/etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id:
default'
https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075
** Affects: keystone
Importance: Undecided
Status: New
** Tags: x509
** Tags added: x509
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1814589
Title:
Tokenless auth: ephemeral user mapping is broken
Status in OpenStack Identity (keystone):
New
Bug description:
Using using an ephemeral user mapping for X.509 tokenless auth,
Keystone service will return an HTTP 500 internal error and the we'll
see a traceback similar to this in the logs.
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi return method(self, request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.fill_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi domain_id)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'
Steps to reproduce the problem:
1) Setup X.509 tokenless auth per
https://docs.openstack.org/keystone/pike/advanced-
topics/configure_tokenless_x509.html
2) Create an ephemeral user mapping. i.e.
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "ephemeral"
},
"group": {
"domain": {
"name": "Default"
},
"name": "admin"
}
}
],
"remote": [
{
"type": "SSL_CLIENT_S_DN_CN"
},
{
"type": "SSL_CLIENT_S_DN_O"
}
]
}
]
3. Use curl to test a keystone API. For example,
curl --cert user_cert.pem --key user_private_key.pem --cacert
/etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-
Id: default'
https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1814589/+subscriptions
Follow ups
