← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1814589] [NEW] Tokenless auth: ephemeral user mapping is broken

 

Public bug reported:

Using using an ephemeral user mapping for X.509 tokenless auth, Keystone
service will return an HTTP 500 internal error and the we'll see a
traceback similar to this in the logs.

Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     return method(self, request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     self.fill_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     auth_context = self._build_tokenless_auth_context(request)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     domain_id)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     self.identity_api, self.assignment_api))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     group['name'], resolve_domain(group['domain']))
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     resource_api.get_domain_by_name(
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     f = getattr(self.driver, name)
Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'

Steps to reproduce the problem:

1) Setup X.509 tokenless auth per
https://docs.openstack.org/keystone/pike/advanced-
topics/configure_tokenless_x509.html

2) Create an ephemeral user mapping. i.e.

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                     "domain": {
                         "name": "{1}"
                     },
                     "type": "ephemeral"
                 },
		 "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "admin"
                }
             }
         ],
         "remote": [
             {
                 "type": "SSL_CLIENT_S_DN_CN"
             },
             {
                 "type": "SSL_CLIENT_S_DN_O"
             }
        ]
    }
]

3. Use curl to test a keystone API. For example,

curl --cert user_cert.pem --key user_private_key.pem --cacert
/etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-Id:
default'
https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: x509

** Tags added: x509

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1814589

Title:
  Tokenless auth: ephemeral user mapping is broken

Status in OpenStack Identity (keystone):
  New

Bug description:
  Using using an ephemeral user mapping for X.509 tokenless auth,
  Keystone service will return an HTTP 500 internal error and the we'll
  see a traceback similar to this in the logs.

  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi Traceback (most recent call last):
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     return method(self, request)
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     self.fill_context(request)
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     auth_context = self._build_tokenless_auth_context(request)
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     domain_id)
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     self.identity_api, self.assignment_api))
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     group['name'], resolve_domain(group['domain']))
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     resource_api.get_domain_by_name(
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi   File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi     f = getattr(self.driver, name)
  Feb 04 21:59:19 keystone-idp devstack@keystone.service[11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name'

  Steps to reproduce the problem:

  1) Setup X.509 tokenless auth per
  https://docs.openstack.org/keystone/pike/advanced-
  topics/configure_tokenless_x509.html

  2) Create an ephemeral user mapping. i.e.

  [
      {
          "local": [
              {
                  "user": {
                      "name": "{0}",
                       "domain": {
                           "name": "{1}"
                       },
                       "type": "ephemeral"
                   },
  		 "group": {
                      "domain": {
                          "name": "Default"
                      },
                      "name": "admin"
                  }
               }
           ],
           "remote": [
               {
                   "type": "SSL_CLIENT_S_DN_CN"
               },
               {
                   "type": "SSL_CLIENT_S_DN_O"
               }
          ]
      }
  ]

  3. Use curl to test a keystone API. For example,

  curl --cert user_cert.pem --key user_private_key.pem --cacert
  /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain-
  Id: default'
  https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1814589/+subscriptions


Follow ups