Your message dated Fri, 3 Jan 2025 13:36:34 +0100
with message-id <[email protected]>
and subject line Should be fixed
has caused the Debian Bug report #990544,
regarding python3-keystone: Some federated-identity operations fail due to
provider name being a bytestream
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990544
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-keystone
Version: 2:14.2.0-0+deb10u1
Severity: normal
Tags: patch upstream
Hello,
With Keystone configured as a federated-identity Service Provider (with
the IdP accessed over OpenID in our case but it might affect other
protocols as well), certain operations performed as a federated user -
e.g. obtaining a scoped token from an unscoped one using 'openstack
token issue' - report a server error 500. On the server side, Keystone
logs show the following exception:
INFO keystone.common.wsgi [req-foo bar baz - Federated default]
POSThttps://osc.example.com:5000/v3/auth/tokens
ERROR keystone.common.wsgi [req-foo bar baz - Federated default]
identity_provider failed validation: <function
FederatedCredential.<lambda> at 0xdeadbeef>: ValueError:
identity_provider failed validation: <function
FederatedCredential.<lambda> at 0xdeadbeef>
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/keystone/common/wsgi.py", line 148, in
__call__
ERROR keystone.common.wsgi result = method(req, **params)ERROR
keystone.common.wsgi File
"/usr/lib/python3/dist-packages/keystone/auth/controllers.py", line 67,
in authenticate_for_token
ERROR keystone.common.wsgi self.authenticate(request, auth_info,
auth_context)
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/keystone/auth/controllers.py", line 236,
in authenticate
ERROR keystone.common.wsgi auth_info.get_method_data(method_name))
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/keystone/auth/plugins/token.py", line
46, in authenticate
ERROR keystone.common.wsgi PROVIDERS.identity_api
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/keystone/auth/plugins/mapped.py", line
101, in handle_scoped_token
ERROR keystone.common.wsgi send_notification(taxonomy.OUTCOME_SUCCESS)
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/keystone/notifications.py", line 685, in
send_saml_audit_notification
ERROR keystone.common.wsgi user=user_id, groups=group_ids)
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/pycadf/credential.py", line 84, in __init__
ERROR keystone.common.wsgi setattr(self,
FED_CRED_KEYNAME_IDENTITY_PROVIDER, identity_provider)
ERROR keystone.common.wsgi File
"/usr/lib/python3/dist-packages/pycadf/cadftype.py", line 66, in __set__
ERROR keystone.common.wsgi (self.name, self.func))
ERROR keystone.common.wsgi ValueError: identity_provider failed
validation: <function FederatedCredential.<lambda> at 0xdeadbeef>
i.e. the request has succeeded but then things fall over when an audit
notification is to be sent.
Having poked around the sources of
keystone.notifications.send_saml_audit_notifications() and the code it
references, I found out the following:
- the lambda function which triggers the error checks if
'identity_provider' is a six string type;
- when this error occurs the value of 'identity_provider' is indeed
the name of my IdP - but as *bytes* rather than str!
- this doesn't happen every time this IdP name is used - if I add a
simple
identity_provider = identity_provider.decode('utf-8') to the relevant
function
I start getting errors suggesting that under some circumstances,
'identity_provider' is str as it should be.
All in all, it seems this particular bit of Keystone code does not fully
support Python3 in Rocky.
A simple workaround that I have put in place (which is why debsums has
found notifications.py to have changed) looks as follows:
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -680,6 +680,8 @@
user_id = user_id or taxonomy.UNKNOWN
token_id = token_id or taxonomy.UNKNOWN
group_ids = group_ids or []
+ if isinstance(identity_provider, bytes):
+ identity_provider = identity_provider.decode('utf-8')
cred = credential.FederatedCredential(token=token_id, type=audit_type,
identity_provider=identity_provider,
user=user_id, groups=group_ids)
On Debian 10 Keystone is a Python3-only package so I didn't bother with
six. With this patch in place getting scoped tokens works and I have yet
to hear from our federated users about any authentication-related
issues. Unfortunately having changed the contents of a package I had to
put python3-keystone on hold, which of course means no automatic
security updates.
PS. I have already mentioned the problem upstream, see
http://lists.openstack.org/pipermail/openstack-discuss/2021-June/023281.html
-- System Information:
Debian Release: 10.10
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-14-amd64 (SMP w/56 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to
default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages python3-keystone depends on:
ii python3 3.7.3-1
ii python3-babel 2.6.0+dfsg.1-1
ii python3-bcrypt 3.1.6-1
ii python3-crypto 2.6.1-9+b1
ii python3-cryptography 2.6.1-3+deb10u2
ii python3-dateutil 2.7.3-3
ii python3-dogpile.cache 0.6.2-6
ii python3-flask 1.0.2-3
ii python3-flask-restful 0.3.7-1
ii python3-jsonschema 2.6.0-4
ii python3-keystoneclient 1:3.17.0-2
ii python3-keystonemiddleware 5.2.0-2
ii python3-ldap [python3-pyldap] 3.1.0-2
ii python3-ldappool 2.3.1-1
ii python3-lxml 4.3.2-1+deb10u3
ii python3-memcache 1.59-1
ii python3-migrate 0.11.0-5
ii python3-msgpack 0.5.6-1+b1
ii python3-mysqldb 1.3.10-2
ii python3-oauthlib 2.1.0-1
ii python3-openstackclient 3.16.2-1
ii python3-oslo.cache 1.30.3-1
ii python3-oslo.concurrency 3.27.0-3
ii python3-oslo.config 1:6.4.1-1
ii python3-oslo.context 2.21.0-2
ii python3-oslo.db 4.40.0-3
ii python3-oslo.i18n 3.21.0-2
ii python3-oslo.log 3.39.0-2
ii python3-oslo.messaging 8.1.4-1+deb10u1
ii python3-oslo.middleware 3.36.0-2
ii python3-oslo.policy 1.38.1-2
ii python3-oslo.serialization 2.27.0-2
ii python3-oslo.utils 3.36.5-0+deb10u1
ii python3-osprofiler 2.3.0-3
ii python3-passlib 1.7.1-1
ii python3-pbr 4.2.0-5
ii python3-pycadf 2.7.0-2
ii python3-pymysql 0.9.3-1
ii python3-pysaml2 4.5.0-4+deb10u1
ii python3-routes 2.4.1-1
ii python3-scrypt 0.8.0-0.1+b1
ii python3-six 1.12.0-1
ii python3-sqlalchemy 1.2.18+ds1-2
ii python3-stevedore 1.29.0-2
ii python3-tz 2019.1-1
ii python3-webob 1:1.8.5-1
python3-keystone recommends no packages.
python3-keystone suggests no packages.
-- debconf information excluded
-- debsums errors found:
perl: warning: Setting locale failed.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
debsums: changed file
/usr/lib/python3/dist-packages/keystone/notifications.py (from
python3-keystone package)
--- End Message ---
--- Begin Message ---
Hi,
Since we're currently at Keystone 26 instead of 14, and that it doesn't
use six anymore, it should be fixed. Sorry that I didn't get to fix this
bug as I never used a federated env for keystone.
Cheers,
Thomas Goirand (zigo)
--- End Message ---
