The Saml2 tempest plugin tests are broken. Example:
http://logs.openstack.org/00/476200/5/check/gate-keystone-dsvm-functional-v3-only-ubuntu-xenial-nv/f71024f/console.html
keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2EcpFederatedAuthentication.test_request_scoped_token
----------------------------------------------------------------------------------------------------------------------------------
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 167, in test_request_scoped_token
resp = self._request_unscoped_token()
File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 116, in _request_unscoped_token
self.assertEqual(http_client.OK, resp.status_code)
File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 411, in assertEqual
self.assertThat(observed, matcher, message)
File "/opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 498, in assertThat
raise mismatch_error
testtools.matchers._impl.MismatchError: 200 != 401
From the keystone logs:
Jun 27 13:38:01.904864 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] assertion data: {'CONTEXT_DOCUMENT_ROOT': u'/var/www/html', 'SERVER_SOFTWARE': u'Apache/2.4.18 (Ubuntu)', 'CONTEXT_PREFIX': u'', 'REQUEST_SCHEME': u'http', 'webob.adhoc_attrs': {'response': <Response at 0x7f72b413b650 200 OK>}, 'SERVER_SIGNATURE': u'<address>Apache/2.4.18 (Ubuntu) Server at 10.12.215.84 Port 80</address>\n', 'REQUEST_METHOD': u'GET', 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f72b412e3d0>, 'PATH_INFO': u'/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'SERVER_PROTOCOL': u'HTTP/1.1', 'QUERY_STRING': u'', 'PATH': u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'REMOTE_ADDR': u'10.12.215.84', 'CONTENT_LENGTH': u'0', 'HTTP_USER_AGENT': u'python-requests/2.18.1', 'HTTP_CONNECTION': u'keep-alive', 'REMOTE_PORT': u'55194', 'SERVER_NAME': u'10.12.215.84', 'routes.route': <routes.route.Route object at 0x7f72b47167d0>, 'HTTP_PAOS': u'ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"', 'wsgi.url_scheme': u'http', 'wsgiorg.routing_args': (<routes.util.URLGenerator object at 0x7f72b413b550>, {'idp_id': u'testshib', 'protocol_id': u'mapped'}), 'SERVER_PORT': u'80', 'uwsgi.node': u'ubuntu-xenial-osic-cloud1-s3700-9538683', 'SERVER_ADDR': u'10.12.215.84', 'DOCUMENT_ROOT': u'/var/www/html', 'webob._parsed_query_vars': (GET([]), ''), 'SCRIPT_FILENAME': u'proxy:uwsgi://uwsgi-uds-keystone-wsgi-public//v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'SERVER_ADMIN': u'webmaster@localhost', 'wsgi.input': <_io.BytesIO object at 0x7f72b4753e90>, 'HTTP_HOST': u'10.12.215.84', 'SCRIPT_NAME': u'/identity/v3', 'proxy-sendcl': u'1', 'wsgi.multithread': False, 'webob.is_body_readable': True, 'routes.url': <routes.util.URLGenerator object at 0x7f72b413b550>, 'REQUEST_URI': u'/identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth', 'HTTP_ACCEPT':
Jun 27 13:38:01.905296 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: u'text/html, application/vnd.paos+xml', 'openstack.request_id': u'req-b05cfa0a-139b-422d-9e96-0e74b96c10c3', 'wsgi.version': (1, 0), 'openstack.context': {'token_id': None}, 'GATEWAY_INTERFACE': u'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file 'wsgi_errors', mode 'w' at 0x7f72b4745540>, 'wsgi.multiprocess': True, 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f72b6354ed0>, 'uwsgi.version': u'2.0.15', 'webob.is_body_seekable': True, 'wsgi.file_wrapper': <built-in function uwsgi_sendfile>, 'HTTP_ACCEPT_ENCODING': u'gzip, deflate'} {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:512}}
Jun 27 13:38:01.905592 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] assertion: {'CONTEXT_DOCUMENT_ROOT': [u'/var/www/html'], 'SERVER_SOFTWARE': [u'Apache/2.4.18 (Ubuntu)'], 'CONTEXT_PREFIX': [u''], 'SERVER_SIGNATURE': [u'<address>Apache/2.4.18 (Ubuntu) Server at 10.12.215.84 Port 80</address>\n'], 'REQUEST_METHOD': [u'GET'], 'PATH_INFO': [u'/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'SERVER_PROTOCOL': [u'HTTP/1.1'], 'QUERY_STRING': [u''], 'PATH': [u'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'], 'CONTENT_LENGTH': [u'0'], 'HTTP_USER_AGENT': [u'python-requests/2.18.1'], 'HTTP_CONNECTION': [u'keep-alive'], 'SERVER_NAME': [u'10.12.215.84'], 'REMOTE_PORT': [u'55194'], 'HTTP_PAOS': [u'ver="urn:liberty:paos:2003-08"', u'"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"'], 'wsgi.url_scheme': [u'http'], 'SERVER_PORT': [u'80'], 'uwsgi.node': [u'ubuntu-xenial-osic-cloud1-s3700-9538683'], 'SERVER_ADDR': [u'10.12.215.84'], 'DOCUMENT_ROOT': [u'/var/www/html'], 'SCRIPT_FILENAME': [u'proxy:uwsgi://uwsgi-uds-keystone-wsgi-public//v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'SERVER_ADMIN': [u'webmaster@localhost'], 'HTTP_HOST': [u'10.12.215.84'], 'SCRIPT_NAME': [u'/identity/v3'], 'proxy-sendcl': [u'1'], 'REQUEST_URI': [u'/identity/v3/OS-FEDERATION/identity_providers/testshib/protocols/mapped/auth'], 'HTTP_ACCEPT': [u'text/html, application/vnd.paos+xml'], 'openstack.request_id': [u'req-b05cfa0a-139b-422d-9e96-0e74b96c10c3'], 'GATEWAY_INTERFACE': [u'CGI/1.1'], 'uwsgi.version': [u'2.0.15'], 'REMOTE_ADDR': [u'10.12.215.84'], 'REQUEST_SCHEME': [u'http'], 'HTTP_ACCEPT_ENCODING': [u'gzip, deflate']} {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:515}}
Jun 27 13:38:01.905974 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] rules: [{u'local': [{u'user': {u'name': u'{0}'}}, {u'group': {u'domain': {u'name': u'federated_domain'}, u'name': u'federated_users'}}], u'remote': [{u'type': u'eppn'}]}] {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:518}}
Jun 27 13:38:01.906062 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: DEBUG keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] identity_values: [] {{(pid=3061) process /opt/stack/new/keystone/keystone/federation/utils.py:538}}
Jun 27 13:38:01.906153 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: WARNING keystone.federation.utils [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details.
Jun 27 13:38:01.909617 ubuntu-xenial-osic-cloud1-s3700-9538683 <email address hidden>[3059]: WARNING keystone.common.wsgi [None req-b05cfa0a-139b-422d-9e96-0e74b96c10c3 None None] Authorization failed. The request you have made requires authentication. from 10.12.215.84: Unauthorized: The request you have made requires authentication.
So the SAML assertion is incorrect for some reason.
Found the cause. Since Devstack moved everything to uwsgi with mod_proxy_uwsgi now restarting apache doesn't restart keystone. The devstack@keystone service needs to be restarted. Will have a patch up for the Devstack plugin today.