yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77038
[Bug 1811605] Re: Tokenless authentication is broken
Reviewed: https://review.openstack.org/635993
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1b261e8bec31a6de3905557abde0da93d5c0437a
Submitter: Zuul
Branch: master
commit 1b261e8bec31a6de3905557abde0da93d5c0437a
Author: Guang Yee <guang.yee@xxxxxxxx>
Date: Fri Feb 8 16:56:40 2019 -0800
populate request context with X.509 tokenless cred information
Fixes X.509 tokenless auth by properly populating the request context
with the necessary credential information. Since Stein release, RBAC
has been using the credential information from the Keystone request
context instead of the authentication context. Therefore, we'll need
to populate the request context with the necessary credential
information from the X.509 tokenless authentication context.
Closes-Bug: 1811605
Change-Id: I170a91e9ac36990d1e7ec4165dd0337b8f06a938
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1811605
Title:
Tokenless authentication is broken
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
When trying to use tokenless authentication, authentication fails with
the following traceback:
http://paste.openstack.org/show/742271/
git bisect shows this is the commit that introduced the bug:
0dc5c4edabd5cb0455ffe1c4f8cf8369f64b2197
Steps to reproduce:
(Can start out with configuring devstack with the tls-proxy service to
have devstack generate a root CA but then you need to remove the
default proxy configuration in /etc/apache2/sites-available/http-
services-tls-proxy.conf it generates)
Configure keystone behind Apache with mod_ssl and the following
mod_ssl options:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /opt/stack/data/devstack-cert.pem
SSLCACertificateFile /opt/stack/data/CA/root-ca/cacert.pem
SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLUserName SSL_CLIENT_S_DN_CN
SetEnv REMOTE_DOMAIN openstack
</Virtualhost>
In keystone.conf set up external authentication and tokenless auth:
[tokenless_auth]
trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,O=OpenStack
[auth]
methods = password,token,external
external = Domain
Create a client certificate with the example user values from the
tokenless auth docs, signed by the root CA:
$ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
$ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out john.pem -CAcreateserial
Create the IdP, mapping and protocol:
$ openstack identity provider create ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663
$ openstack mapping create x509map --rules rules.json
$ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663
Create a local user with role assignments:
$ openstack domain create openstack
$ openstack user create john --domain openstack
$ openstack role add --user john --user-domain openstack --project demo member
Get a token for the user:
$ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x
-project-name: demo" -H "x-project-domain-id: default"
https://192.168.122.248/identity/v3/auth/tokens -d '{"auth":
{"identity": { "methods": [ "external" ], "external": { "user": {
"name": "john", "domain": { "name": "openstack" } } } } } }' -H
'content-type: application/json'
Try to validate the token with tokenless auth (as in the documented
example):
$ curl -v -k -s -X GET --cert /home/devuser/john.pem --key
/home/devuser/privateKey.key -H "x-project-name: demo" -H "x-project-
domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -H
"x-subject-token: <token>"
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1811605/+subscriptions
References
