[Yahoo-eng-team] [Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check

2017-05-16 Thread Lance Bragstad 
** Changed in: keystone/ocata
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1662762

Title:
  Authentication for LDAP user fails at MFA rule check

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) ocata series:
  Fix Released

Bug description:
  I have a openstack master with LDAP server configured (fernet token
  provider). With the new changes around MFA rules
  (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
  reqs), I see that the authentication (POST /token) call fails at
  
https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377

  def check_auth_methods_against_rules(self, user_id, auth_methods):
  user_ref = self.identity_api.get_user(user_id)
  mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])

  In the last line the code flow expects user_Ref to always have an
  options attribute and this is not present for LDAP users due to which
  we get the below and authentication fails

  INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
  ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] 'options'
  ERROR keystone.common.wsgi Traceback (most recent call last):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in 
__call__
  ERROR keystone.common.wsgi result = method(req, **params)
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in 
authenticate_for_token
  ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in 
check_auth_methods_against_rules
  ERROR keystone.common.wsgi mfa_rules = 
user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  ERROR keystone.common.wsgi KeyError: 'options'

  
  Conversation from #openstack-keystone on Freenode: 
  
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-07.log.html#t2017-02-07T14:01:09

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1662762/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check

2017-02-24 Thread OpenStack Infra 
Reviewed:  https://review.openstack.org/437402
Committed: 
https://git.openstack.org/cgit/openstack/keystone/commit/?id=4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Submitter: Jenkins
Branch:master

commit 4e0029455ab45e3b9a15fe9fc151c14c502b7bdd
Author: Matthew Edmonds 
Date:   Fri Feb 24 00:41:11 2017 -0500

Fix MFA rule checks for LDAP auth

LDAP authentication was broken by the addition of MFA rule checking.
This patch fixes that.

Change-Id: I4efe4b1b90c93110509cd599f9dd047c313dade3
Closes-Bug: #1662762


** Changed in: keystone
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1662762

Title:
  Authentication for LDAP user fails at MFA rule check

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) ocata series:
  Triaged

Bug description:
  I have a openstack master with LDAP server configured (fernet token
  provider). With the new changes around MFA rules
  (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
  reqs), I see that the authentication (POST /token) call fails at
  
https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377

  def check_auth_methods_against_rules(self, user_id, auth_methods):
  user_ref = self.identity_api.get_user(user_id)
  mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])

  In the last line the code flow expects user_Ref to always have an
  options attribute and this is not present for LDAP users due to which
  we get the below and authentication fails

  INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
  ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] 'options'
  ERROR keystone.common.wsgi Traceback (most recent call last):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in 
__call__
  ERROR keystone.common.wsgi result = method(req, **params)
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in 
authenticate_for_token
  ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in 
check_auth_methods_against_rules
  ERROR keystone.common.wsgi mfa_rules = 
user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  ERROR keystone.common.wsgi KeyError: 'options'

  
  Conversation from #openstack-keystone on Freenode: 
  
http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-02-07.log.html#t2017-02-07T14:01:09

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1662762/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1662762] Re: Authentication for LDAP user fails at MFA rule check

2017-02-08 Thread Lance Bragstad 
** Description changed:

  I have a openstack master with LDAP server configured (fernet token
  provider). With the new changes around MFA rules
  (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
  reqs), I see that the authentication (POST /token) call fails at
- https://github.com/openstack/keystone/blob/master/keystone/auth/core.py#L377
+ 
https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377
  
- def check_auth_methods_against_rules(self, user_id, auth_methods):   
- user_ref = self.identity_api.get_user(user_id)
- mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
+ def check_auth_methods_against_rules(self, user_id, auth_methods):
+ user_ref = self.identity_api.get_user(user_id)
+ mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  
  In the last line the code flow expects user_Ref to always have an
  options attribute and this is not present for LDAP users due to which we
  get the below and authentication fails
  
  INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
  ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] 'options'
  ERROR keystone.common.wsgi Traceback (most recent call last):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in 
__call__
  ERROR keystone.common.wsgi result = method(req, **params)
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in 
authenticate_for_token
  ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in 
check_auth_methods_against_rules
  ERROR keystone.common.wsgi mfa_rules = 
user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  ERROR keystone.common.wsgi KeyError: 'options'
  
- 
  dikonoor> dstanek:I am trying to understand if 'options' is a mandatory 
attribute in user_ref.
   dstanek: and how it gets populated
   dikonoor: it appears that it is mandatory and that we only added it 
to the SQL model
   i think maybe the LDAP model should always have an empty options 
dictionary as an attribute
   morgan: ^ does that sound correct?
   dstanek:morgan: either an empty options attribute should be added 
or the MFA rule check code above must be modified to make it 
user_ref.get('options') ..Let me go ahead and open a defect for this
   dikonoor: i prefer empty to the models look the same

** Description changed:

  I have a openstack master with LDAP server configured (fernet token
  provider). With the new changes around MFA rules
  (https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-
  reqs), I see that the authentication (POST /token) call fails at
  
https://github.com/openstack/keystone/blob/029476272fb869c6413aa4e70f4cae6f890e598f/keystone/auth/core.py#L377
  
  def check_auth_methods_against_rules(self, user_id, auth_methods):
  user_ref = self.identity_api.get_user(user_id)
  mfa_rules = user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  
  In the last line the code flow expects user_Ref to always have an
  options attribute and this is not present for LDAP users due to which we
  get the below and authentication fails
  
  INFO keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] POST https://ip9-114-192-140.pok.stglabs.ibm.com:5000/v3/auth/tokens
  ERROR keystone.common.wsgi [req-279e9036-6c6a-4fc8-9dfe-1d219931195c - - - - 
-] 'options'
  ERROR keystone.common.wsgi Traceback (most recent call last):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in 
__call__
  ERROR keystone.common.wsgi result = method(req, **params)
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 132, in 
authenticate_for_token
  ERROR keystone.common.wsgi auth_context['user_id'], method_names_set):
  ERROR keystone.common.wsgi File 
"/usr/lib/python2.7/site-packages/keystone/auth/core.py", line 377, in 
check_auth_methods_against_rules
  ERROR keystone.common.wsgi mfa_rules = 
user_ref['options'].get(ro.MFA_RULES_OPT.option_name, [])
  ERROR keystone.common.wsgi KeyError: 'options'
  
- dikonoor> dstanek:I am trying to understand if 'options' is a mandatory 
attribute in user_ref.
-  dstanek: and how it gets populated
-  dikonoor: it appears that it is mandatory and that we only added it 
to the SQL model
-  i think maybe the LDAP model should always have an empty options 
dictionary as an attribute
-  morgan: ^ does that sound correct?
-  dstanek:morgan: either an empty options attribute should be added 
or the MFA rule check code above must be modified to make it