Public bug reported: While testing the ocata codebase, it seems that the addition of the multifactor auth in core, breaks our LDAP identity backend.
We are getting an exception while loading the user to check if it has MFA enabled or not. The LDAP identity driver does not provide a options attribute for the user and then it throws an exception in this specific line (https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377) For giving some context, these are the 2 lines concerned (keystone/auth/core.py) 376: user_ref = self.identity_api.get_user(user_id) 377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, []) The first one loads the user from the identity driver and the 2nd one uses an attribute that does not exist in LDAP implementation, so it throws an exception ** Affects: keystone Importance: Undecided Status: New ** Description changed: While testing the ocata codebase, it seems that the addition of the multifactor auth in core, breaks our LDAP identity backend. We are getting an exception while loading the user to check if it has MFA enabled or not. The LDAP identity driver does not provide a options attribute for the user and then it throws an exception in this specific line (https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377) - For giving some context, I am adding the whole function + For giving some context, in keystone/auth/core.py - 366: def check_auth_methods_against_rules(self, user_id, auth_methods): - 367: """Validate the MFA rules against the successful auth methods. - 368: - 369: :param user_id: The user's ID (uuid). - 370: :type user_id: str - 371: :param auth_methods: List of methods that were used for auth - 372: :type auth_methods: set - 373: :returns: Boolean, ``True`` means rules match and auth may proceed, - 374: ``False`` means rules do not match. - 375: """ 376: user_ref = self.identity_api.get_user(user_id) 377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, []) The first one loads the user from the identity driver and the 2nd one uses an attribute that does not exist in LDAP implementation, so it throws an exception ** Description changed: While testing the ocata codebase, it seems that the addition of the multifactor auth in core, breaks our LDAP identity backend. We are getting an exception while loading the user to check if it has MFA enabled or not. The LDAP identity driver does not provide a options attribute for the user and then it throws an exception in this specific line (https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377) - For giving some context, in keystone/auth/core.py - + For giving some context, I am adding the whole function + :::python + 366: def check_auth_methods_against_rules(self, user_id, auth_methods): + 367: """Validate the MFA rules against the successful auth methods. + 368: + 369: :param user_id: The user's ID (uuid). + 370: :type user_id: str + 371: :param auth_methods: List of methods that were used for auth + 372: :type auth_methods: set + 373: :returns: Boolean, ``True`` means rules match and auth may proceed, + 374: ``False`` means rules do not match. + 375: """ 376: user_ref = self.identity_api.get_user(user_id) 377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, []) The first one loads the user from the identity driver and the 2nd one uses an attribute that does not exist in LDAP implementation, so it throws an exception ** Description changed: While testing the ocata codebase, it seems that the addition of the multifactor auth in core, breaks our LDAP identity backend. We are getting an exception while loading the user to check if it has MFA enabled or not. The LDAP identity driver does not provide a options attribute for the user and then it throws an exception in this specific line (https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377) For giving some context, I am adding the whole function - :::python + (keystone/auth/core.py) + + 366: def check_auth_methods_against_rules(self, user_id, auth_methods): 367: """Validate the MFA rules against the successful auth methods. 368: 369: :param user_id: The user's ID (uuid). 370: :type user_id: str 371: :param auth_methods: List of methods that were used for auth 372: :type auth_methods: set 373: :returns: Boolean, ``True`` means rules match and auth may proceed, 374: ``False`` means rules do not match. 375: """ 376: user_ref = self.identity_api.get_user(user_id) 377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, []) The first one loads the user from the identity driver and the 2nd one uses an attribute that does not exist in LDAP implementation, so it throws an exception ** Description changed: While testing the ocata codebase, it seems that the addition of the multifactor auth in core, breaks our LDAP identity backend. We are getting an exception while loading the user to check if it has MFA enabled or not. The LDAP identity driver does not provide a options attribute for the user and then it throws an exception in this specific line (https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377) - For giving some context, I am adding the whole function + For giving some context, these are the 2 lines concerned (keystone/auth/core.py) - - 366: def check_auth_methods_against_rules(self, user_id, auth_methods): - 367: """Validate the MFA rules against the successful auth methods. - 368: - 369: :param user_id: The user's ID (uuid). - 370: :type user_id: str - 371: :param auth_methods: List of methods that were used for auth - 372: :type auth_methods: set - 373: :returns: Boolean, ``True`` means rules match and auth may proceed, - 374: ``False`` means rules do not match. - 375: """ 376: user_ref = self.identity_api.get_user(user_id) 377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, []) The first one loads the user from the identity driver and the 2nd one uses an attribute that does not exist in LDAP implementation, so it throws an exception -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1672425 Title: No 'options' attribute in user_ref when using LDAP identity backend Status in OpenStack Identity (keystone): New Bug description: While testing the ocata codebase, it seems that the addition of the multifactor auth in core, breaks our LDAP identity backend. We are getting an exception while loading the user to check if it has MFA enabled or not. The LDAP identity driver does not provide a options attribute for the user and then it throws an exception in this specific line (https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377) For giving some context, these are the 2 lines concerned (keystone/auth/core.py) 376: user_ref = self.identity_api.get_user(user_id) 377: mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, []) The first one loads the user from the identity driver and the 2nd one uses an attribute that does not exist in LDAP implementation, so it throws an exception To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1672425/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp