yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1856962] Re: openid method failed when federation_group_ids is empty list

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1856962@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Jan 2020 03:09:35 -0000
Reply-to: Bug 1856962 <1856962@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/699927
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f0d964e66675037d62ad17847a966e71720dbd54
Submitter: Zuul
Branch:    master

commit f0d964e66675037d62ad17847a966e71720dbd54
Author: shenjiatong <yshxxsjt715@xxxxxxxxx>
Date:   Thu Dec 19 13:38:32 2019 +0800

    Fix token auth error if federated_groups_id is empty list
    
    `federation_group_ids` could be zero length list, so deciding whether
    a token is federated by checking if it is none.
    
    Change-Id: I0f4b9e24d949aa4838ee721a165999b29c684d32
    Closes-Bug: #1856962


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1856962

Title:
  openid method failed when federation_group_ids  is empty list

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  LOG:
  2019-12-17 02:25:09.269827 2019-12-17 02:25:09.269 10 INFO keystone.common.wsgi [req-521eb002-385e-4015-8035-16bfbdcf0d33 - - - - -] POST http://keystone.openstack.svc.region-guiyang-zyy.myinspurcloud.com/v3/auth/tokens
  2019-12-17 02:25:09.270180 2019-12-17 02:25:09.269 10 INFO keystone.common.wsgi [req-521eb002-385e-4015-8035-16bfbdcf0d33 - - - - -] POST http://keystone.openstack.svc.region-guiyang-zyy.myinspurcloud.com/v3/auth/tokens
  2019-12-17 02:25:09.298401 2019-12-17 02:25:09.297 10 WARNING keystone.common.fernet_utils [req-521eb002-385e-4015-8035-16bfbdcf0d33 - - - - -] key_repository is world readable: /etc/keystone/fernet-keys/: NeedRegenerationException
  2019-12-17 02:25:09.298764 2019-12-17 02:25:09.297 10 WARNING keystone.common.fernet_utils [req-521eb002-385e-4015-8035-16bfbdcf0d33 - - - - -] key_repository is world readable: /etc/keystone/fernet-keys/: NeedRegenerationException
  2019-12-17 02:25:09.344893 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi [req-521eb002-385e-4015-8035-16bfbdcf0d33 - - - - -] 'NoneType' object is not iterable: TypeError: 'NoneType' object is not iterable
  2019-12-17 02:25:09.344916 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi Traceback (most recent call last):
  2019-12-17 02:25:09.344921 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/common/wsgi.py", line 148, in __call__
  2019-12-17 02:25:09.344925 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     result = method(req, **params)
  2019-12-17 02:25:09.344929 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 67, in authenticate_for_token
  2019-12-17 02:25:09.344934 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     self.authenticate(request, auth_info, auth_context)
  2019-12-17 02:25:09.344938 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 236, in authenticate
  2019-12-17 02:25:09.344942 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     auth_info.get_method_data(method_name))
  2019-12-17 02:25:09.344945 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 58, in authenticate
  2019-12-17 02:25:09.344949 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     PROVIDERS.identity_api)
  2019-12-17 02:25:09.344953 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 80, in handle_scoped_token
  2019-12-17 02:25:09.344957 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     for group_dict in token.federated_groups:
  2019-12-17 02:25:09.344961 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi TypeError: 'NoneType' object is not iterable
  2019-12-17 02:25:09.344965 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi 
  2019-12-17 02:25:09.345666 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi [req-521eb002-385e-4015-8035-16bfbdcf0d33 - - - - -] 'NoneType' object is not iterable: TypeError: 'NoneType' object is not iterable
  2019-12-17 02:25:09.345681 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi Traceback (most recent call last):
  2019-12-17 02:25:09.345686 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/common/wsgi.py", line 148, in __call__
  2019-12-17 02:25:09.345690 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     result = method(req, **params)
  2019-12-17 02:25:09.345694 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 67, in authenticate_for_token
  2019-12-17 02:25:09.345698 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     self.authenticate(request, auth_info, auth_context)
  2019-12-17 02:25:09.345702 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/controllers.py", line 236, in authenticate
  2019-12-17 02:25:09.345706 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     auth_info.get_method_data(method_name))
  2019-12-17 02:25:09.345710 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 58, in authenticate
  2019-12-17 02:25:09.345714 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     PROVIDERS.identity_api)
  2019-12-17 02:25:09.345718 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi   File "/var/lib/openstack/local/lib/python2.7/site-packages/keystone/auth/plugins/mapped.py", line 80, in handle_scoped_token
  2019-12-17 02:25:09.345722 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi     for group_dict in token.federated_groups:
  2019-12-17 02:25:09.345726 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi TypeError: 'NoneType' object is not iterable
  2019-12-17 02:25:09.345730 2019-12-17 02:25:09.343 10 ERROR keystone.common.wsgi 
  10.16.4.45 - - [17/Dec/2019:02:25:09 +0000] "POST /v3/auth/tokens HTTP/1.1" 400 96 "-" "curl/7.58.0"

  OpenStack Version:

  Rocky

  We are hitting this error message when using keystone federation. The
  mapping is simple as follow:

  [ 
     { 
        "remote":[ 
           { 
              "type":"REMOTE_USER"
           },
           { 
              "type":"OIDC-project"
           }
        ],
        "local":[ 
           { 
              "user":{ 
                 "name":"{0}"
              }
           },
           { 
              "projects":[ 
                 { 
                    "name":"{1}",
                    "roles":[ 
                       { 
                          "name":"member"
                       }
                    ]
                 }
              ]
           }
        ]
     }
  ]

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1856962/+subscriptions
References

[Bug 1856962] [NEW] openid method failed when federation_group_ids is empty list
From: norman shen, 2019-12-19