Reviewed: https://review.openstack.org/301795 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ad4f8728cce354617b5facefe5076d65af311c6 Submitter: Jenkins Branch: master
commit 7ad4f8728cce354617b5facefe5076d65af311c6 Author: Boris Bobrov <bbob...@mirantis.com> Date: Tue Apr 5 18:50:48 2016 +0300 Update federated user display name with shadow_users_api When a user comes to the cloud for the first time, a shadow user is created. When the user authenticates again, this shadow user is fetched and returned. Before it is returned, its display name should be updated. But the call to update the display name fails because neither identity manager nor identity drivers have the required method. However, the required method exists in shadow_users_api. The issue was hidden because method shadow_federated_user was cached and while the cache lived, the user could authenticate. Use the method of shadow_user_api instead of identity_api to update federated user display name. Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e Closes-Bug: 1566282 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1566282 Title: Returning federated user fails to authenticate with HTTP 500 Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) mitaka series: Fix Released Status in OpenStack Identity (keystone) newton series: In Progress Bug description: I've set up stable/mitaka keystone with AD FS and it worked. After some time, i decided to test the set up again and after trying to authenicate i've got HTTP 500. In keystone logs, there is this: http://paste.openstack.org/show/492968/ (the logs are the same as below). This happens because self.update_federated_user_display_name is called in identity_api.shadow_federated_user. Since no update_federated_user_display_name is defined in identity_api, __getattr__ tries to lookup the name in the driver. The driver used for identity_api hasn't update_federated_user_display_name, and AttributeError is raised. The issue seems to exist on both stable/mitaka and master (6f9f390). 2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7fef82155850> _update_local_mapping /opt/stack/keystone/keystone/federation/utils.py:691 2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] local: {u'id': u'f7567142a8024543ab678de7be553dbf'} _update_local_mapping /opt/stack/keystone/keystone/federation/utils.py:692 2016-04-05 11:53:56.173 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] identity_values: [{u'user': {u'domain': {u'name': u'Default'}, u'name': u'bre...@winad.org'}}, {u'group': {u'id': u'f7567142a8024543ab678de7be553dbf'}}] proc ess /opt/stack/keystone/keystone/federation/utils.py:535 2016-04-05 11:53:56.174 2100 DEBUG keystone.federation.utils [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] mapped_properties: {'group_ids': [u'f7567142a8024543ab678de7be553dbf'], 'user': {u'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'breton@winad .org'}, 'group_names': []} process /opt/stack/keystone/keystone/federation/utils.py:537 2016-04-05 11:53:56.273 2100 ERROR keystone.common.wsgi [req-fe431d33-f850-4a49-87b6-abad9290e638 - - - - -] 'Identity' object has no attribute 'update_federated_user_display_name' 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi Traceback (most recent call last): 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 249, in __call__ 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi result = method(context, **params) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 320, in federated_sso_auth 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi protocol_id) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/federation/controllers.py", line 302, in federated_authentication 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return self.authenticate_for_token(context, auth=auth) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 396, in authenticate_for_token 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/controllers.py", line 520, in authenticate 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi auth_context) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 65, in authenticate 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.identity_api) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/auth/plugins/mapped.py", line 153, in handle_unscoped_token 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi display_name) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 124, in wrapped 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi __ret_val = __f(*args, **kwargs) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1053, in decorate 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi should_cache_fn) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 657, in get_or_create 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi async_creator) as value: 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, in __enter__ 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return self._enter() 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, in _enter 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi generated = self._enter_create(createdtime) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, in _enter_create 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi created = self.creator() 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 625, in gen_value 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi created_value = creator() 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1049, in creator 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi return fn(*arg, **kw) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/identity/core.py", line 1242, in shadow_federated_user 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi self.update_federated_user_display_name(idp_id, protocol_id, 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/manager.py", line 187, in __getattr__ 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi f = getattr(self.driver, name) 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi AttributeError: 'Identity' object has no attribute 'update_federated_user_display_name' 2016-04-05 11:53:56.273 2100 TRACE keystone.common.wsgi To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1566282/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp