Public bug reported: When trying to use tokenless authentication, authentication fails with the following traceback:
http://paste.openstack.org/show/742271/ git bisect shows this is the commit that introduced the bug: 0dc5c4edabd5cb0455ffe1c4f8cf8369f64b2197 Steps to reproduce: (Can start out with configuring devstack with the tls-proxy service to have devstack generate a root CA but then you need to remove the default proxy configuration in /etc/apache2/sites-available/http-services-tls- proxy.conf it generates) Configure keystone behind Apache with mod_ssl and the following mod_ssl options: <VirtualHost *:443> SSLEngine On SSLCertificateFile /opt/stack/data/devstack-cert.pem SSLCACertificateFile /opt/stack/data/CA/root-ca/cacert.pem SSLOptions +StdEnvVars SSLVerifyClient optional SSLUserName SSL_CLIENT_S_DN_CN SetEnv REMOTE_DOMAIN openstack </Virtualhost> In keystone.conf set up external authentication and tokenless auth: [tokenless_auth] trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,O=OpenStack [auth] methods = password,token,external external = Domain Create a client certificate with the example user values from the tokenless auth docs, signed by the root CA: $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key $ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out john.pem -CAcreateserial Create the IdP, mapping and protocol: $ openstack identity provider create ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663 $ openstack mapping create x509map --rules rules.json $ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663 Create a local user with role assignments: $ openstack domain create openstack $ openstack user create john --domain openstack $ openstack role add --user john --user-domain openstack --project demo member Get a token for the user: $ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x -project-name: demo" -H "x-project-domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -d '{"auth": {"identity": { "methods": [ "external" ], "external": { "user": { "name": "john", "domain": { "name": "openstack" } } } } } }' -H 'content-type: application/json' Try to validate the token with tokenless auth (as in the documented example): $ curl -v -k -s -X GET --cert /home/devuser/john.pem --key /home/devuser/privateKey.key -H "x-project-name: demo" -H "x-project- domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -H "x-subject-token: <token>" ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1811605 Title: Tokenless authentication is broken Status in OpenStack Identity (keystone): New Bug description: When trying to use tokenless authentication, authentication fails with the following traceback: http://paste.openstack.org/show/742271/ git bisect shows this is the commit that introduced the bug: 0dc5c4edabd5cb0455ffe1c4f8cf8369f64b2197 Steps to reproduce: (Can start out with configuring devstack with the tls-proxy service to have devstack generate a root CA but then you need to remove the default proxy configuration in /etc/apache2/sites-available/http- services-tls-proxy.conf it generates) Configure keystone behind Apache with mod_ssl and the following mod_ssl options: <VirtualHost *:443> SSLEngine On SSLCertificateFile /opt/stack/data/devstack-cert.pem SSLCACertificateFile /opt/stack/data/CA/root-ca/cacert.pem SSLOptions +StdEnvVars SSLVerifyClient optional SSLUserName SSL_CLIENT_S_DN_CN SetEnv REMOTE_DOMAIN openstack </Virtualhost> In keystone.conf set up external authentication and tokenless auth: [tokenless_auth] trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,O=OpenStack [auth] methods = password,token,external external = Domain Create a client certificate with the example user values from the tokenless auth docs, signed by the root CA: $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key $ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out john.pem -CAcreateserial Create the IdP, mapping and protocol: $ openstack identity provider create ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663 $ openstack mapping create x509map --rules rules.json $ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663 Create a local user with role assignments: $ openstack domain create openstack $ openstack user create john --domain openstack $ openstack role add --user john --user-domain openstack --project demo member Get a token for the user: $ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x -project-name: demo" -H "x-project-domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -d '{"auth": {"identity": { "methods": [ "external" ], "external": { "user": { "name": "john", "domain": { "name": "openstack" } } } } } }' -H 'content-type: application/json' Try to validate the token with tokenless auth (as in the documented example): $ curl -v -k -s -X GET --cert /home/devuser/john.pem --key /home/devuser/privateKey.key -H "x-project-name: demo" -H "x-project- domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -H "x-subject-token: <token>" To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1811605/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp