yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89122
[Bug 1978833] [NEW] can not create application credential for federated user when mapping uses group
Public bug reported:
Tested on devstack/master + SAML2 and victoria + OpenIDConnect.
Setup on devstack + SAML:
- install devstack as per keystone-dsvm-py3-functional-federation-ubuntu-focal job
- run the test keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2FederatedExternalAuthentication.test_request_scoped_token to ensure it works as expected
- get the scoped token for the federated user
- (fwiw I failed to use openstackclient with v3samlpassword, so I resorted to some cheating)
- commented out the cleanups in that test, and logged the scoped token, used it then with the openstackclient
try to create application credentials with that token:
openstack --debug application credential create test
fails with not finding roles:
Invalid application credential: Could not find role assignment with
role: 71a233e8d3f54a08a94ef260a39ce870, user or group:
055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91,
project, domain, or system: df0d47600acd46428321899a65e47157. (HTTP 400)
(Request-ID: req-429314bf-3060-4e94-ab78-69a10bdbd660)
even while roles are there per debug output of access info:
{"token": {"methods": ["token", "mapped"], "user": {"domain": {"id":
"c4235afadccd49ec8e2ea0bb013f930c", "name":
"c4235afadccd49ec8e2ea0bb013f930c"}, "id":
"055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91",
"name": "morty", "OS-FEDERATION": {"groups": [{"id":
"1660ce0da8694cc99d9ad0ccba6102e6"}], "identity_provider": {"id":
"samltest"}, "protocol": {"id": "mapped"}}}, "audit_ids":
["8yA8ngZRRZaYj99VfsLDkg"], "expires_at": "2022-06-15T14:48:14.000000Z",
"issued_at": "2022-06-15T13:48:14.000000Z", "project": {"domain": {"id":
"8f611bd7fca24b43b837e46205115279", "name": "federated_domain"}, "id":
"df0d47600acd46428321899a65e47157", "name": "federated_project"},
"is_domain": false, "roles": [{"id": "71a233e8d3f54a08a94ef260a39ce870",
"name": "member", "domain_id": null, "description": null, "options":
{"immutable": true}}, {"id": "fd6a812d75d340d2b46c04681ca69774", "name":
"reader", "domain_id": null, "description": null, "options":
{"immutable": true}}], "catalog": [{"endpoints": [{"id":
"1c0b1188496e4b4a991ef655dade6919", "interface": "public", "region_id":
"RegionOne", "url": "http://192.168.100.58/identity", "region":
"RegionOne"}], "id": "d859f6754830449c997fd10cc21ace7c", "type":
"identity", "name": "keystone"}]}}
In the keystone there's the following trace:
https://paste.openstack.org/show/814941/
Note that when using a mapping with concrete role assignments (via auto-
provision of projects and explicitly assigning roles to them) everything
works and app creds can be created as expected.
Also a piece of a puzzle is that `openstack group contains user` does
not show this user
"055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91"
belonging to the group "1660ce0da8694cc99d9ad0ccba6102e6", and
`openstack role assignment list --user ... --effective` does not show
any assignments too (while it does for a usual, non-federated user that
only gets its roles thru a group membership).
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1978833
Title:
can not create application credential for federated user when mapping
uses group
Status in OpenStack Identity (keystone):
New
Bug description:
Tested on devstack/master + SAML2 and victoria + OpenIDConnect.
Setup on devstack + SAML:
- install devstack as per keystone-dsvm-py3-functional-federation-ubuntu-focal job
- run the test keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2FederatedExternalAuthentication.test_request_scoped_token to ensure it works as expected
- get the scoped token for the federated user
- (fwiw I failed to use openstackclient with v3samlpassword, so I resorted to some cheating)
- commented out the cleanups in that test, and logged the scoped token, used it then with the openstackclient
try to create application credentials with that token:
openstack --debug application credential create test
fails with not finding roles:
Invalid application credential: Could not find role assignment with
role: 71a233e8d3f54a08a94ef260a39ce870, user or group:
055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91,
project, domain, or system: df0d47600acd46428321899a65e47157. (HTTP
400) (Request-ID: req-429314bf-3060-4e94-ab78-69a10bdbd660)
even while roles are there per debug output of access info:
{"token": {"methods": ["token", "mapped"], "user": {"domain": {"id":
"c4235afadccd49ec8e2ea0bb013f930c", "name":
"c4235afadccd49ec8e2ea0bb013f930c"}, "id":
"055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91",
"name": "morty", "OS-FEDERATION": {"groups": [{"id":
"1660ce0da8694cc99d9ad0ccba6102e6"}], "identity_provider": {"id":
"samltest"}, "protocol": {"id": "mapped"}}}, "audit_ids":
["8yA8ngZRRZaYj99VfsLDkg"], "expires_at":
"2022-06-15T14:48:14.000000Z", "issued_at":
"2022-06-15T13:48:14.000000Z", "project": {"domain": {"id":
"8f611bd7fca24b43b837e46205115279", "name": "federated_domain"}, "id":
"df0d47600acd46428321899a65e47157", "name": "federated_project"},
"is_domain": false, "roles": [{"id":
"71a233e8d3f54a08a94ef260a39ce870", "name": "member", "domain_id":
null, "description": null, "options": {"immutable": true}}, {"id":
"fd6a812d75d340d2b46c04681ca69774", "name": "reader", "domain_id":
null, "description": null, "options": {"immutable": true}}],
"catalog": [{"endpoints": [{"id": "1c0b1188496e4b4a991ef655dade6919",
"interface": "public", "region_id": "RegionOne", "url":
"http://192.168.100.58/identity", "region": "RegionOne"}], "id":
"d859f6754830449c997fd10cc21ace7c", "type": "identity", "name":
"keystone"}]}}
In the keystone there's the following trace:
https://paste.openstack.org/show/814941/
Note that when using a mapping with concrete role assignments (via
auto-provision of projects and explicitly assigning roles to them)
everything works and app creds can be created as expected.
Also a piece of a puzzle is that `openstack group contains user` does
not show this user
"055a4f727a3358c9037831569fc46aab98e6e2d4be5a6597ec7cc19fd5afbc91"
belonging to the group "1660ce0da8694cc99d9ad0ccba6102e6", and
`openstack role assignment list --user ... --effective` does not show
any assignments too (while it does for a usual, non-federated user
that only gets its roles thru a group membership).
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1978833/+subscriptions
Follow ups