[Yahoo-eng-team] [Bug 1394083] Re: ldap user_filter is not honored while authenticating
[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.] ** Changed in: keystone Status: Incomplete => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1394083 Title: ldap user_filter is not honored while authenticating Status in OpenStack Identity (keystone): Expired Bug description: When full LDAP logging is enabled, we can see that the inital LDAP search query does not use the user_filter while it tries to find the user DN from the LDAP. This causes authentication to fail if we have two users with same name in the LDAP in the same tree but with different ids. We use memberOf filter to limit which users are seen by Keystone. I traced the issue to keystone/common/ldap/core.py method get_by_name which only seems to filter by user name ignoring the filter set in the configuration. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1394083/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1600393] Re: v2.0 catalog seen in v3 token
[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.] ** Changed in: keystone Status: Incomplete => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1600393 Title: v2.0 catalog seen in v3 token Status in OpenStack Identity (keystone): Expired Bug description: During a Rally test of our deployment using Mitaka keystone we observed the following traceback in the logs. It seems that the v3 catalog is returned as a list whereas the v2.0 catalog is a dict. But the format_catalog() function always expects a dict. 2016-07-06 03:00:55.171 18314 INFO eventlet.wsgi.server [req-5ebbe11b-5efb-4606-a46c-58f100a8a550 5716d29278b8438a95f718ea926e4e7a 954d6157b061441197b228ac7b4dd6ee - default default] 10.111.109.191,10.111.109.89 - - [06/Jul/2016 03:00:55] "DELETE /v2.0/tenants/37b1a3bad0e54dc2a9824ac51ba02a9f HTTP/1.1" 204 212 0.070017 2016-07-06 03:00:55.779 18323 DEBUG keystone.middleware.auth [req-9843ab92-0f8f-42b9-8b56-a5fc6d011569 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71 2016-07-06 03:00:55.781 18323 INFO keystone.common.wsgi [req-9843ab92-0f8f-42b9-8b56-a5fc6d011569 - - - - -] POST http://10.111.109.81:5000/v2.0/tokens 2016-07-06 03:00:55.879 18323 INFO keystone.token.providers.fernet.utils [req-9843ab92-0f8f-42b9-8b56-a5fc6d011569 - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/ 2016-07-06 03:00:55.882 18323 INFO eventlet.wsgi.server [req-9843ab92-0f8f-42b9-8b56-a5fc6d011569 - - - - -] 10.111.109.191,10.111.109.89 - - [06/Jul/2016 03:00:55] "POST /v2.0/tokens HTTP/1.1" 200 3585 0.102872 2016-07-06 03:00:57.450 18323 DEBUG keystone.middleware.auth [req-57632939-e139-4dc7-a1f4-833ce4e84665 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71 2016-07-06 03:00:57.452 18323 INFO keystone.common.wsgi [req-57632939-e139-4dc7-a1f4-833ce4e84665 - - - - -] POST http://10.111.109.81:5000/v2.0/tokens 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi [req-57632939-e139-4dc7-a1f4-833ce4e84665 - - - - -] 'list' object has no attribute 'items' 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi Traceback (most recent call last): 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 249, in __call__ 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi result = method(context, **params) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/oslo_log/versionutils.py", line 165, in wrapped 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi return func_or_cls(*args, **kwargs) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 144, in authenticate 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi auth_token_data, roles_ref=roles_ref, catalog_ref=catalog_ref) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 124, in wrapped 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 360, in issue_v2_token 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi token_ref, roles_ref, catalog_ref) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", line 38, in issue_v2_token 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi *args, **kwargs) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", line 570, in issue_v2_token 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi token_ref, roles_ref, catalog_ref, trust_ref) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", line 163, in format_token 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi catalog_ref) 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", line 214, in format_catalog 2016-07-06 03:00:57.565 18323 ERROR keystone.common.wsgi for region, region_ref in
[Yahoo-eng-team] [Bug 1632924] Re: Lingering sql backend role assignments after deletion of ldap user.
[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.] ** Changed in: keystone Status: Incomplete => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1632924 Title: Lingering sql backend role assignments after deletion of ldap user. Status in OpenStack Identity (keystone): Expired Bug description: Greetings all, There is currently an issue in an Openstack Liberty environment where the keystone configuration is using a ldap driver for users and the sql driver for role assignments. The issue being encountered is when a ldap user is removed, the id for that user(actor_id) remains in the keystone.assignment table. The way this was discovered was that if we attempt to perform a user list on a specific project where a former ldap user existed the openstack client abruptly exits with an exception[1] regarding the resource or in this case the user id no longer being found as it was deleted from ldap while its role assignment for the user remains in the keystone.assignments table. There was a similar bug found [2], however that one deals by both identity and assignment driver using ldap whereas this particular case identity is ldap and assignment is sql. Environment details: Openstack Version: 12.2.0(Liberty) Keystone Version: 8.1.2 identity driver: ldap assignment driver: sql [0] MariaDB [keystone]> select * from assignment where actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47'; +-+--+--+--+---+ | type| actor_id | target_id| role_id | inherited | +-+--+--+--+---+ | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0 | | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0 | +-+--+--+--+---+ [1] Request returned failure status: 401 Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run column_names, data = self.take_action(parsed_args) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper return func(self, *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action user = utils.find_resource(identity_client.users, user_id) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource raise exceptions.CommandError(msg) CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 clean_up ListUser: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 112, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run result = self.run_subcommand(remainder) File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run column_names, data = self.take_action(parsed_args) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper return func(self, *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action user = utils.find_resource(identity_client.users, user_id) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource raise exceptions.CommandError(msg) CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 END return
[Yahoo-eng-team] [Bug 1629167] Re: HEAD request blocked cause of response Content-Length more than 0
[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.] ** Changed in: keystone Status: Incomplete => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1629167 Title: HEAD request blocked cause of response Content-Length more than 0 Status in OpenStack Identity (keystone): Expired Bug description: version: keystone9.2.0 api: curl -i -X HEAD http://**:35357/v2.0/tokens/** -H "X-Auth-Token:**" result: HTTP/1.1 200 OK Vary: X-Auth-Token Content-Type: application/json Content-Length: 5420 X-Openstack-Request-Id: req-c0db94a5-9078-4181-947c-924dfca65a7a Date: Fri, 30 Sep 2016 03:31:51 GMT and we found block at here. I think beause resp body has set to b'', content-lenth not set to 0. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1629167/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1640616] Re: Add healthcheck middleware to pipelines
[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.] ** Changed in: keystone Status: Incomplete => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1640616 Title: Add healthcheck middleware to pipelines Status in OpenStack Identity (keystone): Expired Bug description: https://review.openstack.org/387731 Dear bug triager. This bug was created since a commit was marked with DOCIMPACT. Your project "openstack/keystone" is set up so that we directly report the documentation bugs against it. If this needs changing, the docimpact-group option needs to be added for the project. You can ask the OpenStack infra team (#openstack-infra on freenode) for help if you need to. commit eeac2cb6d1bdb7b5330cf24b1d98151876e9f672 Author: Jesse KeatingDate: Mon Oct 17 17:20:54 2016 -0700 Add healthcheck middleware to pipelines This introduces the oslo healt check middleware http://docs.openstack.org/developer/oslo.middleware/healthcheck_plugins.html into the pipelines. This middleware is useful for load balancers and http servers, which can use it to validate that the keystone services are operational. This middleware is being used in other services such as glance and magnum. This patch provides it for keystone, in an effort to spread the usage across all major projects. This is one less item that operators will have to patch locally. DocImpact Change-Id: I19e4fc8f6c6a227068ba7191c1e9c453fc08f061 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1640616/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1656075] Re: DiscoveryFailure when trying to get resource providers from the scheduler report client
** Also affects: nova/newton Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1656075 Title: DiscoveryFailure when trying to get resource providers from the scheduler report client Status in OpenStack Compute (nova): Confirmed Status in OpenStack Compute (nova) newton series: New Bug description: I noticed this in a TripleO job: http://logs.openstack.org/04/419604/1/check/gate-puppet-openstack- integration-4-scenario004-tempest-centos-7/5d95a8c/logs/nova/nova- compute.txt.gz#_2017-01-12_18_53_43_459 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager [req-59098025-7c99-41b2-aaa9-0e5714770b3a - - - - -] Error updating resources for node centos-7-osic-cloud1-s3500-6631948. 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager Traceback (most recent call last): 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 6537, in update_available_resource_for_node 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager rt.update_available_resource(context, nodename) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/compute/resource_tracker.py", line 540, in update_available_resource 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager self._update_available_resource(context, resources) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 271, in inner 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager return f(*args, **kwargs) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/compute/resource_tracker.py", line 564, in _update_available_resource 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager self._init_compute_node(context, resources) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/compute/resource_tracker.py", line 451, in _init_compute_node 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager self.scheduler_client.update_resource_stats(self.compute_node) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/__init__.py", line 60, in update_resource_stats 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager self.reportclient.update_resource_stats(compute_node) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/__init__.py", line 37, in __run_method 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager return getattr(self.instance, __name)(*args, **kwargs) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/report.py", line 476, in update_resource_stats 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager compute_node.hypervisor_hostname) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/report.py", line 296, in _ensure_resource_provider 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager rp = self._get_resource_provider(uuid) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/report.py", line 53, in wrapper 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager return f(self, *a, **k) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/report.py", line 209, in _get_resource_provider 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager resp = self.get("/resource_providers/%s" % uuid) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/nova/scheduler/client/report.py", line 174, in get 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager endpoint_filter=self.ks_filter, raise_exc=False) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 710, in get 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager return self.request(url, 'GET', **kwargs) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager return wrapped(*args, **kwargs) 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 467, in request 2017-01-12 18:53:43.459 15495 ERROR nova.compute.manager
[Yahoo-eng-team] [Bug 1656276] Re: Error running nova-manage cell_v2 simple_cell_setup when configuring nova with puppet-nova
** Also affects: packstack Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1656276 Title: Error running nova-manage cell_v2 simple_cell_setup when configuring nova with puppet-nova Status in OpenStack Compute (nova): In Progress Status in OpenStack Compute (nova) newton series: New Status in Packstack: New Status in puppet-nova: New Status in tripleo: Triaged Bug description: When installing and configuring nova with puppet-nova (with either tripleo, packstack or puppet-openstack-integration), we are getting following errors: Debug: Executing: '/usr/bin/nova-manage cell_v2 simple_cell_setup --transport-url=rabbit://guest:guest@172.19.2.159:5672/?ssl=0' Debug: /Stage[main]/Nova::Db::Sync_cell_v2/Exec[nova-cell_v2-simple-cell-setup]/returns: Sleeping for 5 seconds between tries Notice: /Stage[main]/Nova::Db::Sync_cell_v2/Exec[nova-cell_v2-simple-cell-setup]/returns: Cell0 is already setup. Notice: /Stage[main]/Nova::Db::Sync_cell_v2/Exec[nova-cell_v2-simple-cell-setup]/returns: No hosts found to map to cell, exiting. The issue seems to be that it's running "nova-manage cell_v2 simple_cell_setup" as part of the nova database initialization when no compute nodes have been created but it returns 1 in that case [1]. However, note that the previous steps (Cell0 mapping and schema migration) were successfully run. I think for nova bootstrap a reasonable orchestrated workflow would be: 1. Create required databases (including the one for cell0). 2. Nova db sync 3. nova cell0 mapping and schema creation. 4. Adding compute nodes 5. mapping compute nodes (by running nova-manage cell_v2 discover_hosts) For step 3 we'd need to get simple_cell_setup to return 0 when not having compute nodes, or having a different command. With current behavior of nova-manage the only working workflow we can do is: 1. Create required databases (including the one for cell0). 2. Nova db sync 3. Adding all compute nodes 4. nova cell0 mapping and schema creation with "nova-manage cell_v2 simple_cell_setup". Am I right?, Is there any better alternative? [1] https://github.com/openstack/nova/blob/master/nova/cmd/manage.py#L1112-L1114 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1656276/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1656026] Re: Exception don't follow a punctuation convention
Reviewed: https://review.openstack.org/420187 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee2747bac2e6eeb86e6340a2bb3509bc25f115bc Submitter: Jenkins Branch:master commit ee2747bac2e6eeb86e6340a2bb3509bc25f115bc Author: Gage HugoDate: Fri Jan 13 15:34:59 2017 -0600 Corrected punctuation on multiple exceptions As mentioned in the bug report, keystone/exceptions.py has many exceptions with messages that are not consistant with each other and have various punctuational differences, such as some ending with a period while others do not. This change adds a '.' to the end of many exception messages and adds small changes to other messages in order to keep all of the exception messages consistant. Change-Id: I21cac56ff70dbc2693c6090b887537a7c1f303e1 Closes-Bug: #1656026 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1656026 Title: Exception don't follow a punctuation convention Status in OpenStack Identity (keystone): Fix Released Bug description: If you happen to take a look through keystone exception module [0]. You'll notice that some of the exceptions use proper punctuation, while other do not. David Stanek mentioned this in a review [1], and we thought it was appropriate to track it as a low-hanging-fruit bug. We should decide what that convention should be for keystone, then apply it to all of our exceptions consistently. [0] https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/exception.py#L105-L118 [1] https://review.openstack.org/#/c/415895/8/keystone/exception.py To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1656026/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1656076] Re: The keystone server auth plugin methods could mismatch user_id in auth_context
Reviewed: https://review.openstack.org/419693 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0f3f08c3df0dd6c32e685dae6726e945b01ea8c7 Submitter: Jenkins Branch:master commit 0f3f08c3df0dd6c32e685dae6726e945b01ea8c7 Author: Morgan FainbergDate: Thu Jan 12 15:19:48 2017 -0800 Force use of AuthContext object in .authentcate() Force the keystone.auth.controllers.Auth.authenticate method to require the use of an AuthContext object instead of something duck-typed (dictionary). This is done to ensure the security and integrity of IDENTITY_KEYS are covered and values are not changed by a plugin due to the security built into AuthContext being circumvented since it was not used. This is not pythonic, this is being done for hardening purposes. Change-Id: I013846af59587d17b15ca4cf546e6372231f576e Closes-Bug: #1656076 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1656076 Title: The keystone server auth plugin methods could mismatch user_id in auth_context Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) mitaka series: Invalid Status in OpenStack Identity (keystone) newton series: Invalid Status in OpenStack Identity (keystone) ocata series: Fix Released Bug description: The keystone server blindly overwrites the auth_context.user_id in each auth method that is run. This means that the last auth_method that is run for a given authentication request dictates the user_id. While this is not exploitable externally without misconfiguration of the external plugin methods and supporting services, this is a bad state that could relatively easily result in someone ending up authenticated with the wrong user_id. The simplest fix will be to have the for loop in the authentication controller (that iterates over the methods) to verify the user_id does not change between auth_methods executed. https://github.com/openstack/keystone/blob/f8ee249bf08cefd8468aa15c589dab48bd5c4cd8/keystone/auth/controllers.py#L550-L557 This has been marked as public security for hardening purposes, likely a "Class D" https://security.openstack.org/vmt-process.html#incident- report-taxonomy To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1656076/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp