Reviewed: https://review.openstack.org/635993 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1b261e8bec31a6de3905557abde0da93d5c0437a Submitter: Zuul Branch: master
commit 1b261e8bec31a6de3905557abde0da93d5c0437a Author: Guang Yee <[email protected]> Date: Fri Feb 8 16:56:40 2019 -0800 populate request context with X.509 tokenless cred information Fixes X.509 tokenless auth by properly populating the request context with the necessary credential information. Since Stein release, RBAC has been using the credential information from the Keystone request context instead of the authentication context. Therefore, we'll need to populate the request context with the necessary credential information from the X.509 tokenless authentication context. Closes-Bug: 1811605 Change-Id: I170a91e9ac36990d1e7ec4165dd0337b8f06a938 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1811605 Title: Tokenless authentication is broken Status in OpenStack Identity (keystone): Fix Released Bug description: When trying to use tokenless authentication, authentication fails with the following traceback: http://paste.openstack.org/show/742271/ git bisect shows this is the commit that introduced the bug: 0dc5c4edabd5cb0455ffe1c4f8cf8369f64b2197 Steps to reproduce: (Can start out with configuring devstack with the tls-proxy service to have devstack generate a root CA but then you need to remove the default proxy configuration in /etc/apache2/sites-available/http- services-tls-proxy.conf it generates) Configure keystone behind Apache with mod_ssl and the following mod_ssl options: <VirtualHost *:443> SSLEngine On SSLCertificateFile /opt/stack/data/devstack-cert.pem SSLCACertificateFile /opt/stack/data/CA/root-ca/cacert.pem SSLOptions +StdEnvVars SSLVerifyClient optional SSLUserName SSL_CLIENT_S_DN_CN SetEnv REMOTE_DOMAIN openstack </Virtualhost> In keystone.conf set up external authentication and tokenless auth: [tokenless_auth] trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,O=OpenStack [auth] methods = password,token,external external = Domain Create a client certificate with the example user values from the tokenless auth docs, signed by the root CA: $ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key $ openssl x509 -req -in CSR.csr -CA /opt/stack/data/CA/root-ca/cacert.pem -CAkey /opt/stack/data/CA/root-ca/private/cacert.key -days 365 -out john.pem -CAcreateserial Create the IdP, mapping and protocol: $ openstack identity provider create ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663 $ openstack mapping create x509map --rules rules.json $ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc36e1fbf7af5e83e25aebf66bbfefc12eed0313a875e6f9663 Create a local user with role assignments: $ openstack domain create openstack $ openstack user create john --domain openstack $ openstack role add --user john --user-domain openstack --project demo member Get a token for the user: $ curl -v -k -s -X POST --cert john.pem --key privateKey.key -H "x -project-name: demo" -H "x-project-domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -d '{"auth": {"identity": { "methods": [ "external" ], "external": { "user": { "name": "john", "domain": { "name": "openstack" } } } } } }' -H 'content-type: application/json' Try to validate the token with tokenless auth (as in the documented example): $ curl -v -k -s -X GET --cert /home/devuser/john.pem --key /home/devuser/privateKey.key -H "x-project-name: demo" -H "x-project- domain-id: default" https://192.168.122.248/identity/v3/auth/tokens -H "x-subject-token: <token>" To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1811605/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
