yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1857086] Re: Trying to update user options field for ldap user gives 403 forbidden

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Wed, 08 Jan 2020 19:27:07 -0000
Reply-to: Bug 1857086 <1857086@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

We discussed this a bit in yesterday's meeting:
http://eavesdrop.openstack.org/meetings/keystone/2020/keystone.2020-01-07-17.00.log.html#l-24

Auth methods are separate from identity backends, and moreover user
resource options are separate from users, so it should be possible to
set MFA options for users that are backed by LDAP, so it's not true to
say that we don't support MFA for LDAP. There may be one of a few things
causing the Forbidden error:

1) obvious first step, make sure you're using the right credentials for the admin user who has permissions to edit user attributes
2) check your policy rules - are you using the default rule for the identity:update_user policy (if there is no policy.json or policy.yaml file then you are using the defaults), and if not, are you sure the changes are correct? Also enable debug logging in keystone and check the "RBAC:" logs for hints about how the policy is being enforced
3) try just setting "options" without also setting "enabled" in your PATCH request - while the user options table should be writeable, "enabled" is a property of the user and is not changeable when LDAP is the backend
4) it may be a valid bug in the LDAP manager code improperly forbidding write access

** Changed in: keystone
       Status: Invalid => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1857086

Title:
  Trying to update user options field for ldap user gives 403 forbidden

Status in OpenStack Identity (keystone):
  Incomplete

Bug description:
  I am trying to set up MFA for ldap users. Ldap configuration is done.
  While running the below api as an admin, I get the 403 forbidden
  error.

  PATCH "/v3/users/{user_id}"

  {
      "user": {
          "enabled": true,
          "options": {
              "multi_factor_auth_enabled": true
          }
      }
  }

  Result -> You are not authorized to perform the requested action, 403
  Forbidden.

  There is not much information in the logs. Found the below in
  keystone.log,

  2019-12-19 23:58:59.759 51472 WARNING
  keystone.server.flask.application [req-
  7d011897-6662-46d1-9df3-8956bf9f5639
  bf9f5018298590e9c675df62943158939e2e145758538564bca05042bc0a556a
  f9fe381c5db344ec8445bb8d45d0285b - default default] You are not
  authorized to perform the requested action.: Forbidden: You are not
  authorized to perform the requested action.

  Is this a bug or setting user options is not allowed for ldap users?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1857086/+subscriptions

References

[Bug 1857086] [NEW] Trying to update user options field for ldap user gives 403 forbidden
From: Abhishek Sharma M, 2019-12-20