Reviewed: https://review.openstack.org/293184 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e5dcb3b4b6bdecd0947cba32cb3732ca52ed07c3 Submitter: Jenkins Branch: master
commit e5dcb3b4b6bdecd0947cba32cb3732ca52ed07c3 Author: guang-yee <[email protected]> Date: Tue Mar 15 17:29:42 2016 -0700 Mapping which yield no identities should result in ValidationError Currently mapping produce a bogus "blind" default identity when no rules match the incoming attributes. This is unnecessary and downright dangerous. There's absolutely no use case for the "blind" identity. Furthermore, consumers of mapped properties assumed that the "blind" identity is legit. This lead to expected failures such as KeyError when they try to reference the required identity attributes such as user['name']. We should raise ValidationError if the rules yield no valid identity. This patch also removed the tests where the bogus "blind" identity is expected. Change-Id: I117621673ffc0b4f8e2c48721329daa3b6090327 Closes-Bug: 1557238 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1557238 Title: mapping yield no valid identity result in HTTP 500 error Status in OpenStack Identity (keystone): Fix Released Bug description: A mapping which yield no valid identity (i.e. no local user or group) will result in HTTP 500 instead of 401. There are two issues. 1. We automatically return a default ephemeral user mapped_properties when mapping yield no valid local identity or groups. 2. In the mapped auth plugin, we assume the mapped_properties contains a valid local identity or group. To reproduce the problem: 1. Set up WebSSO or K2K. 2. Create a mapping rule for the given IdP and protocol which yield neither local identity or group. For example, [ { "local": [ { "user": { "type": "local", "name": "{0}", "domain": { "name": "{1}" }, "type": "local" } } ], "remote": [ { "type": "openstack_user" }, { "type": "openstack_user_domain" }, { "type": "openstack_roles", "any_one_of": [ "bogus" ] } ] } ] 3. do the federation dance and you'll get a HTTP 500 and a traceback as pretty as this one. 2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] updating a direct mapping: [u'Unset'] 2016-03-14 17:16:05.536 _verify_all_requirements /opt/stack/keystone/keystone/federation/utils.py:796 2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] identity_values: [] 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:534 2016-03-14 17:16:05.536 12497 DEBUG keystone.federation.utils [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral'}, 'group_names': []} 2016-03-14 17:16:05.536 process /opt/stack/keystone/keystone/federation/utils.py:536 2016-03-14 17:16:05.620 12497 ERROR keystone.common.wsgi [req-159bde9f-8a2d-4885-af31-304be9af8db7 - - - - -] 'name' 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi Traceback (most recent call last): 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__ 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi result = method(context, **params) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 302, in federated_authentication 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return self.authenticate_for_token(context, auth=auth) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 396, in authenticate_for_token 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi auth_context) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi self.identity_api) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 144, in handle_unscoped_token 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi get_user_unique_id_and_display_name(context, mapped_properties) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 253, in get_user_unique_id_and_display_name 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi return (user['id'], user['name']) 2016-03-14 17:16:05.620 12497 TRACE keystone.common.wsgi KeyError: 'name' To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1557238/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
