yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79470
[Bug 1838592] [NEW] WebSSO unable to support multiple identity providers
Public bug reported:
When performing WebSSO authentication (i.e. openid connect), if there
are multiple identity providers exist, regardless of protocol and
mapping association, Keystone will yield the following error.
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application [None req-00ae9c5a-5d05-43d9-b15b-585720f7aefa None None] Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3e>
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application Traceback (most recent call last):
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 266, in error_router
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self.handle_error(e)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application rv = self.dispatch_request()
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/app.py", line 1935, in dispatch_request
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self.view_functions[rule.endpoint](**req.view_args)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 458, in wrapper
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application resp = resource(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/views.py", line 89, in view
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self.dispatch_request(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 573, in dispatch_request
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application resp = meth(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/server/flask/common.py", line 1064, in wrapper
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return f(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/api/auth.py", line 359, in get
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self._perform_auth(protocol_id)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/api/auth.py", line 340, in _perform_auth
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application idp, protocol_id)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/utils.py", line 286, in get_remote_id_parameter
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/backends/sql.py", line 279, in get_protocol
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application protocol_ref = self._get_protocol(session, idp_id, protocol_id)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/backends/sql.py", line 255, in _get_protocol
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application raise exception.FederatedProtocolNotFound(**kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application FederatedProtocolNotFound: Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3eff2107ade89918207aa60d95063a3.
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application
Keystone should've either catch the exception and move onto the next
lookup or parse the identity provider from the request path.
Steps to reproduce the problem.
1. following the doc to setup WebSSO against Google OpenID Connect provider
2. create one more identity provider with a different protocol and mapping
3. attempt to login from Horizon should yield something like "{"error":{"code":404,"message":"Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3eff2107ade89918207aa60d95063a3.","title":"Not Found"}}"
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1838592
Title:
WebSSO unable to support multiple identity providers
Status in OpenStack Identity (keystone):
New
Bug description:
When performing WebSSO authentication (i.e. openid connect), if there
are multiple identity providers exist, regardless of protocol and
mapping association, Keystone will yield the following error.
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application [None req-00ae9c5a-5d05-43d9-b15b-585720f7aefa None None] Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3e>
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application Traceback (most recent call last):
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 266, in error_router
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self.handle_error(e)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application rv = self.dispatch_request()
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/app.py", line 1935, in dispatch_request
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self.view_functions[rule.endpoint](**req.view_args)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 458, in wrapper
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application resp = resource(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/views.py", line 89, in view
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self.dispatch_request(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 573, in dispatch_request
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application resp = meth(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/server/flask/common.py", line 1064, in wrapper
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return f(*args, **kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/api/auth.py", line 359, in get
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application return self._perform_auth(protocol_id)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/api/auth.py", line 340, in _perform_auth
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application idp, protocol_id)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/utils.py", line 286, in get_remote_id_parameter
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/backends/sql.py", line 279, in get_protocol
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application protocol_ref = self._get_protocol(session, idp_id, protocol_id)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/backends/sql.py", line 255, in _get_protocol
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application raise exception.FederatedProtocolNotFound(**kwargs)
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application FederatedProtocolNotFound: Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3eff2107ade89918207aa60d95063a3.
Aug 01 03:41:21 localhost devstack@keystone.service[26546]: ERROR keystone.server.flask.application
Keystone should've either catch the exception and move onto the next
lookup or parse the identity provider from the request path.
Steps to reproduce the problem.
1. following the doc to setup WebSSO against Google OpenID Connect provider
2. create one more identity provider with a different protocol and mapping
3. attempt to login from Horizon should yield something like "{"error":{"code":404,"message":"Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3eff2107ade89918207aa60d95063a3.","title":"Not Found"}}"
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1838592/+subscriptions
Follow ups
