Our stable branch policy dictates that we don't backport features, and
an API-impacting one would be the first to be denied in review.
Sadly, it looks like a significant oversight in the original
implementation, though.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1575368
Title:
Federation Unable to handle multiple groups
Status in OpenStack Identity (keystone):
Invalid
Bug description:
I'm using OIDC federated authentication, I'm able to use the mapping json to
do ephemeral user authentication.
Following is my mapping json:
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"id": "{1}"
},
"domain": {
"name": "default"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_GROUP"
},
{
"type" : "HTTP_OIDC_ISS",
"any_one_of": [
"https://myidp.cisco.com/oauth2";
]
}
]
}
]
and when tested with the keystone-mange mapping, I'm able to see multiple
groups properly.
output of Keystone-mapping verification.
{
"group_ids": [
"5207b97776914a6b9f99e1c985533863,23a70aa1af5f4439afb628a10f53ade3"
],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"name": "kathu...@cisco.com"
},
"group_names": []
}
However, when the same flow is executed thru the OIDC I get the
following error message
{"error": {"message": "Group ['5207b97776914a6b9f99e1c985533863',
'23a70aa1af5f4439afb628a10f53ade3'] returned by mapping fed_mapping
was not found in the backend. (Disable debug mode to suppress these
details.)", "code": 500, "title": "Internal Server Error"}}
I looked into the util.py code and printed the groups that were coming
into the validate_groups_in_backend function.
validate_groups_in_backend
/opt/stack/keystone/keystone/contrib/federation/utils.py:258
2016-04-26 12:38:46.750572 25124 DEBUG keystone.contrib.federation.utils
[req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_ids list
[u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]
validate_groups_in_backend
/opt/stack/keystone/keystone/contrib/federation/utils.py:259
2016-04-26 12:38:46.750704 25124 DEBUG keystone.contrib.federation.utils
[req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] printing group_id
['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']
validate_groups_in_backend
/opt/stack/keystone/keystone/contrib/federation/utils.py:260
2016-04-26 12:38:47.092780 25124 WARNING keystone.common.wsgi
[req-b54b5075-a4e5-46fc-a600-f8a07cfaf2cf - - - - -] Group
['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']
returned by mapping openam_mapping was not found in the backend. (Disable debug
mode to suppress these details.)
(END)
it looks like the list is formed incorrectly
[u"['5207b97776914a6b9f99e1c985533863', '23a70aa1af5f4439afb628a10f53ade3']"]
it should have been
[u'5207b97776914a6b9f99e1c985533863', u'23a70aa1af5f4439afb628a10f53ade3']
Thanks,
Krishna
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1575368/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
