Public bug reported: The Saml2 tempest plugin tests are broken. Example:
http://logs.openstack.org/00/476200/5/check/gate-keystone-dsvm- functional-v3-only-ubuntu-xenial-nv/f71024f/console.html keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2EcpFederatedAuthentication.test_request_scoped_token ---------------------------------------------------------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 167, in test_request_scoped_token resp = self._request_unscoped_token() File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 116, in _request_unscoped_token self.assertEqual(http_client.OK, resp.status_code) File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 411, in assertEqual self.assertThat(observed, matcher, message) File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 498, in assertThat raise mismatch_error testtools.matchers._impl.MismatchError: 200 != 401 >From the keystone logs: Jun 27 13:38:01.904864 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] assertion data: {'CONTEXT_DOCUMENT_ROOT': u'/var/www/html', 'SERVER_SOFTWARE': u'Apache/2.4.18 (Ubuntu)', 'CONTEXT_PREFIX': u'', 'REQUEST_SCHEME': u'http', 'webob.adhoc_attrs': {'response': <Response at 0x7f72b413b650 200 OK>}, 'SERVER_SIGNATURE': u'<address>Apache/2.4.18 (Ubuntu) Server at 10.12.215.84 Port 80</address>\n', 'REQUEST_METHOD': u'GET', 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f72b412e3d0>, 'PATH_INFO': u'/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'SERVER_PROTOCOL': u'HTTP/1.1', 'QUERY_STRING': u'', 'PATH': u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'REMOTE_ADDR': u'10.12.215.84', 'CONTENT_LENGTH': u'0', 'HTTP_USER_AGENT': u'python-requests/2.18.1', 'HTTP_CONNECTION': u'keep-alive', 'REMOTE_PORT': u'55194', 'SERVER_NAME': u'10.12.215.84', 'routes.route': <routes.route.Route object at 0x7f72b47167d0>, 'HTTP_PAOS': u'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"', 'wsgi.url_scheme': u'http', 'wsgiorg.routing_args': (<routes.util.URLGenerator object at 0x7f72b413b550>, {'idp_id': u'testshib', 'protocol_id': u'mapped'}), 'SERVER_PORT': u'80', 'uwsgi.node': u'ubuntu-xenial-osic-cloud1-s3700-9538683', 'SERVER_ADDR': u'10.12.215.84', 'DOCUMENT_ROOT': u'/var/www/html', 'webob._parsed_query_vars': (GET([]), ''), 'SCRIPT_FILENAME': u'proxy:uwsgi://uwsgi-uds-keystone-wsgi-public//v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'SERVER_ADMIN': u'webmaster@localhost', 'wsgi.input': <_io.BytesIO object at 0x7f72b4753e90>, 'HTTP_HOST': u'10.12.215.84', 'SCRIPT_NAME': u'/identity/v3', 'proxy-sendcl': u'1', 'wsgi.multithread': False, 'webob.is_body_readable': True, 'routes.url': <routes.util.URLGenerator object at 0x7f72b413b550>, 'REQUEST_ URI': u'/identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'HTTP_ACCEPT': Jun 27 13:38:01.905296 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: u'text/html, application/vnd.paos+xml', 'openstack.request_id': u'req-b05cfa0a-139b-422d-9e96-0e74b96c10c3', 'wsgi.version': (1, 0), 'openstack.context': {'token_id': None}, 'GATEWAY_INTERFACE': u'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0x7f72b4745540>, 'wsgi.multiprocess': True, 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f72b6354ed0>, 'uwsgi.version': u'2.0.15', 'webob.is_body_seekable': True, 'wsgi.file_wrapper': <built-in function uwsgi_sendfile>, 'HTTP_ACCEPT_ENCODING': u'gzip, deflate'} {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:512}} Jun 27 13:38:01.905592 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] assertion: {'CONTEXT_DOCUMENT_ROOT': [u'/var/www/html'], 'SERVER_SOFTWARE': [u'Apache/2.4.18 (Ubuntu)'], 'CONTEXT_PREFIX': [u''], 'SERVER_SIGNATURE': [u'<address>Apache/2.4.18 (Ubuntu) Server at 10.12.215.84 Port 80</address>\n'], 'REQUEST_METHOD': [u'GET'], 'PATH_INFO': [u'/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'SERVER_PROTOCOL': [u'HTTP/1.1'], 'QUERY_STRING': [u''], 'PATH': [u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], 'CONTENT_LENGTH': [u'0'], 'HTTP_USER_AGENT': [u'python-requests/2.18.1'], 'HTTP_CONNECTION': [u'keep-alive'], 'SERVER_NAME': [u'10.12.215.84'], 'REMOTE_PORT': [u'55194'], 'HTTP_PAOS': [u'ver="urn:liberty:paos:2003-08"', u'"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"'], 'wsgi.url_scheme': [u'http'], 'SERVER_PORT': [u'80'], 'uwsgi.node ': [u'ubuntu-xenial-osic-cloud1-s3700-9538683'], 'SERVER_ADDR': [u'10.12.215.84'], 'DOCUMENT_ROOT': [u'/var/www/html'], 'SCRIPT_FILENAME': [u'proxy:uwsgi://uwsgi-uds-keystone-wsgi-public//v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'SERVER_ADMIN': [u'webmaster@localhost'], 'HTTP_HOST': [u'10.12.215.84'], 'SCRIPT_NAME': [u'/identity/v3'], 'proxy-sendcl': [u'1'], 'REQUEST_URI': [u'/identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'HTTP_ACCEPT': [u'text/html, application/vnd.paos+xml'], 'openstack.request_id': [u'req-b05cfa0a-139b-422d-9e96-0e74b96c10c3'], 'GATEWAY_INTERFACE': [u'CGI/1.1'], 'uwsgi.version': [u'2.0.15'], 'REMOTE_ADDR': [u'10.12.215.84'], 'REQUEST_SCHEME': [u'http'], 'HTTP_ACCEPT_ENCODING': [u'gzip, deflate']} {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:515}} Jun 27 13:38:01.905974 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] rules: [{u'local': [{u'user': {u'name': u'{0}'}}, {u'group': {u'domain': {u'name': u'federated_domain'}, u'name': u'federated_users'}}], u'remote': [{u'type': u'eppn'}]}] {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:518}} Jun 27 13:38:01.906062 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] identity_values: [] {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:538}} Jun 27 13:38:01.906153 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: WARNING keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details. Jun 27 13:38:01.909617 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: WARNING keystone.common.wsgi [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] Authorization failed. The request you have made requires authentication. from 10.12.215.84: Unauthorized: The request you have made requires authentication. So the SAML assertion is incorrect for some reason. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1700847 Title: tempest plugin tests are broken Status in OpenStack Identity (keystone): New Bug description: The Saml2 tempest plugin tests are broken. Example: http://logs.openstack.org/00/476200/5/check/gate-keystone-dsvm- functional-v3-only-ubuntu-xenial-nv/f71024f/console.html keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2EcpFederatedAuthentication.test_request_scoped_token ---------------------------------------------------------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 167, in test_request_scoped_token resp = self._request_unscoped_token() File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 116, in _request_unscoped_token self.assertEqual(http_client.OK, resp.status_code) File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 411, in assertEqual self.assertThat(observed, matcher, message) File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 498, in assertThat raise mismatch_error testtools.matchers._impl.MismatchError: 200 != 401 From the keystone logs: Jun 27 13:38:01.904864 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] assertion data: {'CONTEXT_DOCUMENT_ROOT': u'/var/www/html', 'SERVER_SOFTWARE': u'Apache/2.4.18 (Ubuntu)', 'CONTEXT_PREFIX': u'', 'REQUEST_SCHEME': u'http', 'webob.adhoc_attrs': {'response': <Response at 0x7f72b413b650 200 OK>}, 'SERVER_SIGNATURE': u'<address>Apache/2.4.18 (Ubuntu) Server at 10.12.215.84 Port 80</address>\n', 'REQUEST_METHOD': u'GET', 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f72b412e3d0>, 'PATH_INFO': u'/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'SERVER_PROTOCOL': u'HTTP/1.1', 'QUERY_STRING': u'', 'PATH': u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'REMOTE_ADDR': u'10.12.215.84', 'CONTENT_LENGTH': u'0', 'HTTP_USER_AGENT': u'python-requests/2.18.1', 'HTTP_CONNECTION': u'keep-alive', 'REMOTE_PORT' : u'55194', 'SERVER_NAME': u'10.12.215.84', 'routes.route': <routes.route.Route object at 0x7f72b47167d0>, 'HTTP_PAOS': u'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"', 'wsgi.url_scheme': u'http', 'wsgiorg.routing_args': (<routes.util.URLGenerator object at 0x7f72b413b550>, {'idp_id': u'testshib', 'protocol_id': u'mapped'}), 'SERVER_PORT': u'80', 'uwsgi.node': u'ubuntu-xenial-osic-cloud1-s3700-9538683', 'SERVER_ADDR': u'10.12.215.84', 'DOCUMENT_ROOT': u'/var/www/html', 'webob._parsed_query_vars': (GET([]), ''), 'SCRIPT_FILENAME': u'proxy:uwsgi://uwsgi-uds-keystone-wsgi-public//v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'SERVER_ADMIN': u'webmaster@localhost', 'wsgi.input': <_io.BytesIO object at 0x7f72b4753e90>, 'HTTP_HOST': u'10.12.215.84', 'SCRIPT_NAME': u'/identity/v3', 'proxy-sendcl': u'1', 'wsgi.multithread': False, 'webob.is_body_readable': True, 'routes.url': <routes.util.URLGenerator object at 0x7f72b413b550>, 'REQUES T_URI': u'/identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'HTTP_ACCEPT': Jun 27 13:38:01.905296 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: u'text/html, application/vnd.paos+xml', 'openstack.request_id': u'req-b05cfa0a-139b-422d-9e96-0e74b96c10c3', 'wsgi.version': (1, 0), 'openstack.context': {'token_id': None}, 'GATEWAY_INTERFACE': u'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0x7f72b4745540>, 'wsgi.multiprocess': True, 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f72b6354ed0>, 'uwsgi.version': u'2.0.15', 'webob.is_body_seekable': True, 'wsgi.file_wrapper': <built-in function uwsgi_sendfile>, 'HTTP_ACCEPT_ENCODING': u'gzip, deflate'} {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:512}} Jun 27 13:38:01.905592 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] assertion: {'CONTEXT_DOCUMENT_ROOT': [u'/var/www/html'], 'SERVER_SOFTWARE': [u'Apache/2.4.18 (Ubuntu)'], 'CONTEXT_PREFIX': [u''], 'SERVER_SIGNATURE': [u'<address>Apache/2.4.18 (Ubuntu) Server at 10.12.215.84 Port 80</address>\n'], 'REQUEST_METHOD': [u'GET'], 'PATH_INFO': [u'/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'SERVER_PROTOCOL': [u'HTTP/1.1'], 'QUERY_STRING': [u''], 'PATH': [u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], 'CONTENT_LENGTH': [u'0'], 'HTTP_USER_AGENT': [u'python-requests/2.18.1'], 'HTTP_CONNECTION': [u'keep-alive'], 'SERVER_NAME': [u'10.12.215.84'], 'REMOTE_PORT': [u'55194'], 'HTTP_PAOS': [u'ver="urn:liberty:paos:2003-08"', u'"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"'], 'wsgi.url_scheme': [u'http'], 'SERVER_PORT': [u'80'], 'uwsgi.no de': [u'ubuntu-xenial-osic-cloud1-s3700-9538683'], 'SERVER_ADDR': [u'10.12.215.84'], 'DOCUMENT_ROOT': [u'/var/www/html'], 'SCRIPT_FILENAME': [u'proxy:uwsgi://uwsgi-uds-keystone-wsgi-public//v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'SERVER_ADMIN': [u'webmaster@localhost'], 'HTTP_HOST': [u'10.12.215.84'], 'SCRIPT_NAME': [u'/identity/v3'], 'proxy-sendcl': [u'1'], 'REQUEST_URI': [u'/identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'HTTP_ACCEPT': [u'text/html, application/vnd.paos+xml'], 'openstack.request_id': [u'req-b05cfa0a-139b-422d-9e96-0e74b96c10c3'], 'GATEWAY_INTERFACE': [u'CGI/1.1'], 'uwsgi.version': [u'2.0.15'], 'REMOTE_ADDR': [u'10.12.215.84'], 'REQUEST_SCHEME': [u'http'], 'HTTP_ACCEPT_ENCODING': [u'gzip, deflate']} {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:515}} Jun 27 13:38:01.905974 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] rules: [{u'local': [{u'user': {u'name': u'{0}'}}, {u'group': {u'domain': {u'name': u'federated_domain'}, u'name': u'federated_users'}}], u'remote': [{u'type': u'eppn'}]}] {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:518}} Jun 27 13:38:01.906062 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] identity_values: [] {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:538}} Jun 27 13:38:01.906153 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: WARNING keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details. Jun 27 13:38:01.909617 ubuntu-xenial-osic-cloud1-s3700-9538683 devstack@keystone.service[3059]: WARNING keystone.common.wsgi [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] Authorization failed. The request you have made requires authentication. from 10.12.215.84: Unauthorized: The request you have made requires authentication. So the SAML assertion is incorrect for some reason. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1700847/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
