Reviewed: https://review.openstack.org/634816 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=505fe204795330c12bc00fce3510902a5b59457d Submitter: Zuul Branch: master
commit 505fe204795330c12bc00fce3510902a5b59457d Author: Guang Yee <[email protected]> Date: Mon Feb 4 13:27:05 2019 -0800 Fixes incorrect params Fixes incorrect parameters passed into keystone.federation.utils.transform_to_group_ids() which resulted in HTTP 500 internal error. Added an additional test case to test mapping with group domain name in it as this scenario was never tested before. Change-Id: I4112e5968cd0d52444b686a3777da56203ae95ad Closes-Bug: 1814589 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1814589 Title: Tokenless auth: ephemeral user mapping is broken Status in OpenStack Identity (keystone): Fix Released Bug description: Using an ephemeral user mapping for X.509 tokenless auth, Keystone service will return an HTTP 500 internal error and then we'll see a traceback similar to this in the logs. Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi Traceback (most recent call last): Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 275, in _inner Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi return method(self, request) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 164, in process_request Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi self.fill_context(request) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 238, in fill_context Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi auth_context = self._build_tokenless_auth_context(request) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/middleware/auth.py", line 64, in _build_tokenless_auth_context Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi domain_id) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/tokenless_auth.py", line 138, in get_mapped_user Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi self.identity_api, self.assignment_api)) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 412, in transform_to_group_ids Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi group['name'], resolve_domain(group['domain'])) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/utils.py", line 405, in resolve_domain Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi resource_api.get_domain_by_name( Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 200, in __getattr__ Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi f = getattr(self.driver, name) Feb 04 21:59:19 keystone-idp [email protected][11401]: ERROR keystone.common.wsgi AttributeError: 'Assignment' object has no attribute 'get_domain_by_name' Steps to reproduce the problem: 1) Setup X.509 tokenless auth per https://docs.openstack.org/keystone/pike/advanced- topics/configure_tokenless_x509.html 2) Create an ephemeral user mapping. i.e. [ { "local": [ { "user": { "name": "{0}", "domain": { "name": "{1}" }, "type": "ephemeral" }, "group": { "domain": { "name": "Default" }, "name": "admin" } } ], "remote": [ { "type": "SSL_CLIENT_S_DN_CN" }, { "type": "SSL_CLIENT_S_DN_O" } ] } ] 3. Use curl to test a keystone API. For example, curl --cert user_cert.pem --key user_private_key.pem --cacert /etc/keystone/ca.pem -H 'X-Project-Name: admin' -H 'X-Project-Domain- Id: default' https://192.168.0.10/identity/v3/projects/75e168e8a575448f9fa878b4c4475075 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1814589/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
