** Summary changed:
- Unable to list federated projects with domain-scoped token
+ Unable to list federated projects with unscoped token
** Description changed:
When I got the federated user project list, the error is as bellow:
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in
__call__
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi result =
method(req, **params)
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File
"/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in
inner
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi return f(self,
request, *args, **kwargs)
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File
"/usr/lib/python2.7/site-packages/keystone/federation/controllers.py", line
480, in list_projects_for_user
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi
request.auth_context['group_ids'])
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi KeyError: 'group_ids'
- 2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi
+ 2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi
and I have got the token scoped in domain.
My mapping rule is as bellow:
[
{
- "local": [
- {
- "user": {
- "name": "{0}",
- "domain": {
- "name": "{1}"
- },
- "type": "local"
- }
- }
- ],
- "remote": [
- {
- "type": "openstack_user"
- },
- {
- "type": "openstack_user_domain"
- }
- ]
+ "local": [
+ {
+ "user": {
+ "name": "{0}",
+ "domain": {
+ "name": "{1}"
+ },
+ "type": "local"
+ }
+ }
+ ],
+ "remote": [
+ {
+ "type": "openstack_user"
+ },
+ {
+ "type": "openstack_user_domain"
+ }
+ ]
}
]
- The error is that token is scoped in domain and 'group_ids' is not in the
auth_context. So we should verify whether
- it is in the context.
+ The error is that token is an unscoped token which is got from the API
+ “/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth”
+ and then the federated user want to get the projects. But error occurs.
** Changed in: keystone
Status: Invalid => In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1693704
Title:
Unable to list federated projects with unscoped token
Status in OpenStack Identity (keystone):
In Progress
Bug description:
When I got the federated user project list, the error is as bellow:
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File
"/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in
__call__
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi result =
method(req, **params)
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File
"/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 164, in
inner
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi return f(self,
request, *args, **kwargs)
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi File
"/usr/lib/python2.7/site-packages/keystone/federation/controllers.py", line
480, in list_projects_for_user
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi
request.auth_context['group_ids'])
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi KeyError: 'group_ids'
2017-05-26 15:12:54.685 12742 ERROR keystone.common.wsgi
and I have got the token scoped in domain.
My mapping rule is as bellow:
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "{1}"
},
"type": "local"
}
}
],
"remote": [
{
"type": "openstack_user"
},
{
"type": "openstack_user_domain"
}
]
}
]
The error is that token is an unscoped token which is got from the API
“/v3/OS-FEDERATION/identity_providers/keystone-
idp/protocols/saml2/auth” and then the federated user want to get the
projects. But error occurs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1693704/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
