Reviewed: https://review.openstack.org/301795
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ad4f8728cce354617b5facefe5076d65af311c6
Submitter: Jenkins
Branch: master
commit 7ad4f8728cce354617b5facefe5076d65af311c6
Author: Boris Bobrov <bbob...@mirantis.com>
Date: Tue Apr 5 18:50:48 2016 +0300
Update federated user display name with shadow_users_api
When a user comes to the cloud for the first time, a shadow user is
created. When the user authenticates again, this shadow user is
fetched and returned. Before it is returned, its display name should
be updated. But the call to update the display name fails because
neither identity manager nor identity drivers have the required
method. However, the required method exists in shadow_users_api.
The issue was hidden because method shadow_federated_user was
cached and while the cache lived, the user could authenticate.
Use the method of shadow_user_api instead of identity_api to update
federated user display name.
Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e
Closes-Bug: 1566282
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1566282
Title:
Returning federated user fails to authenticate with HTTP 500
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) mitaka series:
Fix Released
Status in OpenStack Identity (keystone) newton series:
In Progress
Bug description:
I've set up stable/mitaka keystone with AD FS and it worked. After
some time, i decided to test the set up again and after trying to
authenicate i've got HTTP 500.
In keystone logs, there is this:
http://paste.openstack.org/show/492968/ (the logs are the same as
below).
This happens because self.update_federated_user_display_name is
called in identity_api.shadow_federated_user. Since no
update_federated_user_display_name is defined in identity_api,
__getattr__ tries to lookup the name in the driver. The driver used
for identity_api hasn't update_federated_user_display_name, and
AttributeError is raised.
The issue seems to exist on both stable/mitaka and master (6f9f390).
2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils
[req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] direct_maps:
<keystone.federation.utils.DirectMaps object at 0x7fef82155850>
_update_local_mapping /opt/stack/keystone/keystone/federation/utils.py:691
2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils
[req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] local: {u'id':
u'f7567142a8024543ab678de7be553dbf'} _update_local_mapping
/opt/stack/keystone/keystone/federation/utils.py:692
2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils
[req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] identity_values:
[{u'user': {u'domain': {u'name': u'Default'}, u'name': u'bre...@winad.org'}},
{u'group': {u'id': u'f7567142a8024543ab678de7be553dbf'}}] proc
ess /opt/stack/keystone/keystone/federation/utils.py:535
2016-04-05 11:53:56.174 2100 DEBUG keystone.federation.utils
[req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] mapped_properties:
{'group_ids': [u'f7567142a8024543ab678de7be553dbf'], 'user': {u'domain': {'id':
'Federated'}, 'type': 'ephemeral', u'name': u'breton@winad
.org'}, 'group_names': []} process
/opt/stack/keystone/keystone/federation/utils.py:537
2016-04-05 11:53:56.273 2100 ERROR keystone.common.wsgi
[req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] 'Identity' object has no
attribute 'update_federated_user_display_name'
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi Traceback (most
recent call last):
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi result =
method(context, **params)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/federation/controllers.py", line 320, in
federated_sso_auth
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi protocol_id)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/federation/controllers.py", line 302, in
federated_authentication
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return
self.authenticate_for_token(context, auth=auth)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/auth/controllers.py", line 396, in
authenticate_for_token
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi
self.authenticate(context, auth_info, auth_context)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi auth_context)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.identity_api)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 153, in
handle_unscoped_token
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi display_name)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/common/manager.py", line 124, in wrapped
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi __ret_val =
__f(*args, **kwargs)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1053, in
decorate
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi should_cache_fn)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 657, in
get_or_create
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi async_creator) as
value:
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in
__enter__
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return
self._enter()
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in
_enter
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi generated =
self._enter_create(createdtime)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in
_enter_create
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi created =
self.creator()
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 625, in
gen_value
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi created_value =
creator()
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1049, in
creator
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return fn(*arg,
**kw)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/identity/core.py", line 1242, in
shadow_federated_user
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi
self.update_federated_user_display_name(idp_id, protocol_id,
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File
"/opt/stack/keystone/keystone/common/manager.py", line 187, in __getattr__
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi f =
getattr(self.driver, name)
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi AttributeError:
'Identity' object has no attribute 'update_federated_user_display_name'
2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1566282/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
