yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1850963] [NEW] Signing in via multiple federation protocols leads to sql duplicate entry error

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Georgina Shippey <1850963@xxxxxxxxxxxxxxxxxx>
Date: Fri, 01 Nov 2019 17:03:55 -0000
Reply-to: Bug 1850963 <1850963@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I am using an OSA All In One instance to look at federation options.
I have set up one idp with two federation protocols, SAML2 (Shib) and OpenId attached to it.
Each protocol has it's own mapping - but in the end they map to the same result, an ephemeral user with an email as the username, with the same permissions.

When I sign in with a user using one protocol for the first time, I am
then unable to authenticate using a different protocol due to an SQL
Duplicate Entry Error.

Should this be possible?
Is it because I've used two mappings instead of having a combined mapping, or is a user tied to a protocol? - Many questions!

A couple of logs:
keystone.federation.utils: mapped_properties: {'user': {'name': 'test-user@xxxxxxxx', 'type': 'ephemeral'}, 'group_ids': [], 'group_names': [{'domain': {'name': 'Default'}, 'name': 'fedgroup'}], 'projects': []}

keystone.common.sql.core: Conflict federated_user:
(pymysql.err.IntegrityError) (1062, "Duplicate entry
'628c91b90865ab0b22c088b3bb3120ca2045d784229a7588978f0424deef6085' for
key 'PRIMARY'")

[SQL: INSERT INTO user (id, domain_id, enabled, extra,
default_project_id, created_at, last_active_at) VALUES (%(id)s,
%(domain_id)s, %(enabled)s, %(extra)s, %(default_project_id)s,
%(created_at)s, %(last_active_at)s)]

[parameters: {'id':
'628c91b90865ab0b22c088b3bb3120ca2045d784229a7588978f0424deef6085',
'domain_id': '3bfb8fcffe304dc991f2312399d8eada', 'enabled': 1, 'extra':
'{}', 'default_project_id': None, 'created_at': datetime.datetime(2019,
11, 1, 11, 48, 17, 73570), 'last_active_at': None}]

(Background on this error at: http://sqlalche.me/e/gkpj) wrapper
/openstack/venvs/keystone-20.0.0.0rc1/lib/python3.6/site-
packages/keystone/common/sql/core.py:524

Conflict occurred attempting to store federated_user - Duplicate entry.:
keystone.exception.Conflict: Conflict occurred attempting to store
federated_user - Duplicate entry.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1850963

Title:
  Signing in via multiple federation protocols leads to sql duplicate
  entry error

Status in OpenStack Identity (keystone):
  New

Bug description:
  I am using an OSA All In One instance to look at federation options.
  I have set up one idp with two federation protocols, SAML2 (Shib) and OpenId attached to it.
  Each protocol has it's own mapping - but in the end they map to the same result, an ephemeral user with an email as the username, with the same permissions.

  When I sign in with a user using one protocol for the first time, I am
  then unable to authenticate using a different protocol due to an SQL
  Duplicate Entry Error.

  Should this be possible?
  Is it because I've used two mappings instead of having a combined mapping, or is a user tied to a protocol? - Many questions!

  A couple of logs:
  keystone.federation.utils: mapped_properties: {'user': {'name': 'test-user@xxxxxxxx', 'type': 'ephemeral'}, 'group_ids': [], 'group_names': [{'domain': {'name': 'Default'}, 'name': 'fedgroup'}], 'projects': []}

  keystone.common.sql.core: Conflict federated_user:
  (pymysql.err.IntegrityError) (1062, "Duplicate entry
  '628c91b90865ab0b22c088b3bb3120ca2045d784229a7588978f0424deef6085' for
  key 'PRIMARY'")

  [SQL: INSERT INTO user (id, domain_id, enabled, extra,
  default_project_id, created_at, last_active_at) VALUES (%(id)s,
  %(domain_id)s, %(enabled)s, %(extra)s, %(default_project_id)s,
  %(created_at)s, %(last_active_at)s)]

  [parameters: {'id':
  '628c91b90865ab0b22c088b3bb3120ca2045d784229a7588978f0424deef6085',
  'domain_id': '3bfb8fcffe304dc991f2312399d8eada', 'enabled': 1,
  'extra': '{}', 'default_project_id': None, 'created_at':
  datetime.datetime(2019, 11, 1, 11, 48, 17, 73570), 'last_active_at':
  None}]

  (Background on this error at: http://sqlalche.me/e/gkpj) wrapper
  /openstack/venvs/keystone-20.0.0.0rc1/lib/python3.6/site-
  packages/keystone/common/sql/core.py:524

  Conflict occurred attempting to store federated_user - Duplicate
  entry.: keystone.exception.Conflict: Conflict occurred attempting to
  store federated_user - Duplicate entry.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1850963/+subscriptions