Keystone REMOTE_USER with no metadata causes 404 on auth
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Medium
|
Unassigned |
Bug Description
With the recent introduction of REMOTE_USER auth support (i.e. remote authn) in Keystone (see https:/
* REMOTE_USER is set by an external authenticator
* There is no 'metadata' (i.e. no metadata for the given user in the given tenant)
When the above conditions are true, the following error is returned on a POST to /tokens -->
2012-11-05 14:30:37 DEBUG [keystone.
2012-11-05 14:30:37 DEBUG [keystone.
2012-11-05 14:30:37 DEBUG [eventlet.
The root cause is located around line 358 of service.py where the 'else' branch to handle remote authn tries to use a tenant_ref and metadata_ref. In this scenario the call to self.identity_
If you look in one of the identity drivers (say the sql driver), you can see in the typical authenticate() flow the driver handles the exception and defaults the meta. From the sql identity driver:
if tenant_id is not None:
if tenant_id not in self.get_
try:
except exception.
except exception.
return (filter_
That said, one fix for this bug is to update service.py to wrap the root error cause in a try/except.
Below is a diff including a test case that reproduces the error and the fix:
diff --git a/keystone/
index b6443a7..1e55348 100644
--- a/keystone/
+++ b/keystone/
@@ -355,14 +355,19 @@ class TokenController
- if not tenant_ref:
- tenant_ref = self.identity_
+ try:
+ if not tenant_ref:
+ tenant_ref = self.identity_
+ self.identity_api,
+ tenant_id)
+ metadata_ref = self.identity_
+ user_id,
- metadata_ref = self.identity_
- self.identity_api,
- user_id,
- tenant_id)
+ except (exception.
+ exception.
+ pass
+
# If the user is disabled don't allow them to authenticate
diff --git a/tests/
index 775b2ca..d9d3c17 100644
--- a/tests/
+++ b/tests/
@@ -129,3 +129,16 @@ class RemoteUserTest(
+
+ def test_remote_
+ for meta in default_
+ self.identity_
+ meta['user_id'],
+ meta['tenant_id'])
+ local_token = self.api.
+ {},
+ self._build_
+ remote_token = self.api.
+ {'REMOTE_USER': 'FOO'},
+ self._build_
+ self.assertEqua
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Looks like this is already fixed in latest keystone v3. There is a try/catch in _get_metadata_ref and _get_tenant_ref - https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ service. py
-- dims