← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #89122

[Bug 1978833] [NEW] can not create application credential for federated user when mapping uses group

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Tested on devstack/master + SAML2 and victoria + OpenIDConnect.

Setup on devstack + SAML:
- install devstack as per keystone-dsvm-py3-functional-federation-ubuntu-focal job
- run the test keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2FederatedExternalAuthentication.test_request_scoped_token to ensure it works as expected
- get the scoped token for the federated user
  - (fwiw I failed to use openstackclient with v3samlpassword, so I resorted to some cheating)
  - commented out the cleanups in that test, and logged the scoped token, used it then with the openstackclient

try to create application credentials with that token:

openstack --debug application credential create test

fails with not finding roles:

Invalid application credential: Could not find role assignment with
role: 71a233e8d3f54a08a94ef260a39ce870, user or group:
055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91,
project, domain, or system: df0d47600acd46428321899a65e47157. (HTTP 400)
(Request-ID: req-429314bf-3060-4e94-ab78-69a10bdbd660)

even while roles are there per debug output of access info:

{"token": {"methods": ["token", "mapped"], "user": {"domain": {"id":
"c4235afadccd49ec8e2ea0bb013f930c", "name":
"c4235afadccd49ec8e2ea0bb013f930c"}, "id":
"055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91",
"name": "morty", "OS-FEDERATION": {"groups": [{"id":
"1660ce0da8694cc99d9ad0ccba6102e6"}], "identity_provider": {"id":
"samltest"}, "protocol": {"id": "mapped"}}}, "audit_ids":
["8yA8ngZRRZaYj99VfsLDkg"], "expires_at": "2022-06-15T14:48:14.000000Z",
"issued_at": "2022-06-15T13:48:14.000000Z", "project": {"domain": {"id":
"8f611bd7fca24b43b837e46205115279", "name": "federated_domain"}, "id":
"df0d47600acd46428321899a65e47157", "name": "federated_project"},
"is_domain": false, "roles": [{"id": "71a233e8d3f54a08a94ef260a39ce870",
"name": "member", "domain_id": null, "description": null, "options":
{"immutable": true}}, {"id": "fd6a812d75d340d2b46c04681ca69774", "name":
"reader", "domain_id": null, "description": null, "options":
{"immutable": true}}], "catalog": [{"endpoints": [{"id":
"1c0b1188496e4b4a991ef655dade6919", "interface": "public", "region_id":
"RegionOne", "url": "http://192.168.100.58/identity";, "region":
"RegionOne"}], "id": "d859f6754830449c997fd10cc21ace7c", "type":
"identity", "name": "keystone"}]}}

In the keystone there's the following trace:
https://paste.openstack.org/show/814941/

Note that when using a mapping with concrete role assignments (via auto-
provision of projects and explicitly assigning roles to them) everything
works and app creds can be created as expected.

Also a piece of a puzzle is that `openstack group contains user` does
not show this user
"055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91"
belonging to the group "1660ce0da8694cc99d9ad0ccba6102e6", and
`openstack role assignment list --user ... --effective` does not show
any assignments too (while it does for a usual, non-federated user that
only gets its roles thru a group membership).

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1978833

Title:
  can not create application credential for federated user when mapping
  uses group

Status in OpenStack Identity (keystone):
  New

Bug description:
  Tested on devstack/master + SAML2 and victoria + OpenIDConnect.

  Setup on devstack + SAML:
  - install devstack as per keystone-dsvm-py3-functional-federation-ubuntu-focal job
  - run the test keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2FederatedExternalAuthentication.test_request_scoped_token to ensure it works as expected
  - get the scoped token for the federated user
    - (fwiw I failed to use openstackclient with v3samlpassword, so I resorted to some cheating)
    - commented out the cleanups in that test, and logged the scoped token, used it then with the openstackclient

  try to create application credentials with that token:

  openstack --debug application credential create test

  fails with not finding roles:

  Invalid application credential: Could not find role assignment with
  role: 71a233e8d3f54a08a94ef260a39ce870, user or group:
  055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91,
  project, domain, or system: df0d47600acd46428321899a65e47157. (HTTP
  400) (Request-ID: req-429314bf-3060-4e94-ab78-69a10bdbd660)

  even while roles are there per debug output of access info:

  {"token": {"methods": ["token", "mapped"], "user": {"domain": {"id":
  "c4235afadccd49ec8e2ea0bb013f930c", "name":
  "c4235afadccd49ec8e2ea0bb013f930c"}, "id":
  "055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91",
  "name": "morty", "OS-FEDERATION": {"groups": [{"id":
  "1660ce0da8694cc99d9ad0ccba6102e6"}], "identity_provider": {"id":
  "samltest"}, "protocol": {"id": "mapped"}}}, "audit_ids":
  ["8yA8ngZRRZaYj99VfsLDkg"], "expires_at":
  "2022-06-15T14:48:14.000000Z", "issued_at":
  "2022-06-15T13:48:14.000000Z", "project": {"domain": {"id":
  "8f611bd7fca24b43b837e46205115279", "name": "federated_domain"}, "id":
  "df0d47600acd46428321899a65e47157", "name": "federated_project"},
  "is_domain": false, "roles": [{"id":
  "71a233e8d3f54a08a94ef260a39ce870", "name": "member", "domain_id":
  null, "description": null, "options": {"immutable": true}}, {"id":
  "fd6a812d75d340d2b46c04681ca69774", "name": "reader", "domain_id":
  null, "description": null, "options": {"immutable": true}}],
  "catalog": [{"endpoints": [{"id": "1c0b1188496e4b4a991ef655dade6919",
  "interface": "public", "region_id": "RegionOne", "url":
  "http://192.168.100.58/identity";, "region": "RegionOne"}], "id":
  "d859f6754830449c997fd10cc21ace7c", "type": "identity", "name":
  "keystone"}]}}

  In the keystone there's the following trace:
  https://paste.openstack.org/show/814941/

  Note that when using a mapping with concrete role assignments (via
  auto-provision of projects and explicitly assigning roles to them)
  everything works and app creds can be created as expected.

  Also a piece of a puzzle is that `openstack group contains user` does
  not show this user
  "055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91"
  belonging to the group "1660ce0da8694cc99d9ad0ccba6102e6", and
  `openstack role assignment list --user ... --effective` does not show
  any assignments too (while it does for a usual, non-federated user
  that only gets its roles thru a group membership).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1978833/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next