Mirantis OpenStack

v3unscopedsaml doesn't work in python-openstackclient-2.2.0

Bug #1627070 reported by Stanislav Kolenkin on 2016-09-23

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Confirmed	Medium	MOS Keystone	Mirantis OpenStack 9.x-updates
	9.x	Confirmed	Medium	MOS Keystone	Mirantis OpenStack 9.x-updates

Bug Description

MOS9.0
python-openstackclient-2.2.0

I have tried get tooken from keystone.idp I had the following error:
BadRequest: Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-d5d2081d-7661-4983-acb0-efbca5dbc181)

/usr/local/bin/openstack --debug --os-auth-type v3unscopedsaml --os-identity-provider cloud1 --os-identity-provider-url http://10.200.1.3:5000/v3/auth/OS-FEDERATION/saml2/ecp --os-username admin --os-password admin --os-project-name admin --os-project-domain-name Default --os-auth-url http://10.200.11.3:5000/v3 --os-protocol saml2 token issue
START with options: ['--debug', '--os-auth-type', 'v3unscopedsaml', '--os-identity-provider', 'cloud1', '--os-identity-provider-url', 'http://10.200.1.3:5000/v3/auth/OS-FEDERATION/saml2/ecp', '--os-username', 'admin', '--os-password', 'admin', '--os-project-name', 'admin', '--os-project-domain-name', 'Default', '--os-auth-url', 'http://10.200.11.3:5000/v3', '--os-protocol', 'saml2', 'token', 'issue']
options: Namespace(access_token_endpoint='', auth_type='v3unscopedsaml', auth_url='http://10.200.11.3:5000/v3', cacert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='Default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='cloud1', identity_provider_url='http://10.200.1.3:5000/v3/auth/OS-FEDERATION/saml2/ecp', insecure=None, interface='', log_file=None, os_clustering_api_version='1', os_compute_api_version='', os_data_processing_api_version='1.1', os_data_processing_url='', os_dns_api_version='2', os_identity_api_version='3', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_queues_api_version='1.1', os_volume_api_version='', os_workflow_api_version='2', password='***', profile=None, project_domain_id='', project_domain_name='Default', project_id='', project_name='admin', protocol='saml2', region_name='RegionOne', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='admin', verbose_level=3, verify=None)
Deferring keystone exception: The plugin v3unscopedsaml could not be found
defaults: {u'auth_type': 'password', u'status': u'active', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', u'metering_api_version': u'2', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'v3unscopedsaml', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'data_processing_api_version': '1.1', u'network_api_version': u'2', 'protocol': 'saml2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'clustering_api_version': '1', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': u'1', 'queues_api_version': '1.1', 'auth': {'username': 'admin', 'identity_provider_url': 'http://10.200.1.3:5000/v3/auth/OS-FEDERATION/saml2/ecp', 'project_name': 'admin', 'identity_provider': 'cloud1', 'auth_url': 'http://10.200.11.3:5000/v3', 'password': '***', 'project_domain_name': 'Default'}, 'default_domain': 'Default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': '1', 'timing': False, 'cacert': None, u'key_manager_api_version': '1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': '3', 'workflow_api_version': '2', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': None, u'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 2, cmd group openstack.volume.v2
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
messaging API version 1.1, cmd group openstack.messaging.v1
clustering API version 1, cmd group openstack.clustering.v1
data_processing API version 1.1, cmd group openstack.data_processing.v1
orchestration API version 1, cmd group openstack.orchestration.v1
workflow_engine API version 2, cmd group openstack.workflow_engine.v2
key_manager API version 1, cmd group openstack.key_manager.v1
dns API version 2, cmd group openstack.dns.v2
command: token issue -> openstackclient.identity.v3.token.IssueToken
Auth plugin v3unscopedsaml selected
auth_type: v3unscopedsaml
Using auth plugin: v3unscopedsaml
Using parameters {'username': 'admin', 'identity_provider_url': 'http://10.200.1.3:5000/v3/auth/OS-FEDERATION/saml2/ecp', 'project_name': 'admin', 'auth_url': 'http://10.200.11.3:5000/v3', 'identity_provider': 'cloud1', 'password': '***', 'project_domain_name': 'Default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.200.11.3:5000/v3/OS-FEDERATION/identity_providers/cloud1/protocols/saml2/auth -H "PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"" -H "Accept: text/html, application/vnd.paos+xml" -H "User-Agent: python-openstackclient keystoneauth1/2.12.1 python-requests/2.11.1 CPython/2.7.6"
Starting new HTTP connection (1): 10.200.11.3
"GET /v3/OS-FEDERATION/identity_providers/cloud1/protocols/saml2/auth HTTP/1.1" 200 1658
RESP: [200] Date: Fri, 23 Sep 2016 14:56:05 GMT Server: Apache Expires: 01-Jan-1997 12:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Content-Length: 1658 Connection: close Content-Type: application/vnd.paos+xml
RESP BODY: <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Header><paos:Request xmlns:paos="urn:liberty:paos:2003-08" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1" responseConsumerURL="http://10.200.11.3:5000/Shibboleth.sso/SAML2/ECP" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://10.200.1.3:5000/shibboleth</saml:Issuer><samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:IDPEntry ProviderID="http://10.200.1.3:5000/v3/OS-FEDERATION/saml2/idp"/></samlp:IDPList></ecp:Request><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1">ss:mem:6a3ade0a623614a8dc2bb43b719b85babe371e4ce37e4f42f5f22b387a487fdd</ecp:RelayState></S:Header><S:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://10.200.11.3:5000/Shibboleth.sso/SAML2/ECP" ID="_e63b9d967af5a81774eb13572a02b02a" IssueInstant="2016-09-23T14:56:05Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://10.200.1.3:5000/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping><samlp:IDPList><samlp:IDPEntry ProviderID="http://10.200.1.3:5000/v3/OS-FEDERATION/saml2/idp"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest></S:Body></S:Envelope>

Starting new HTTP connection (1): 10.200.1.3
"POST /v3/auth/OS-FEDERATION/saml2/ecp HTTP/1.1" 400 258
Request returned failure status: 400
Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-44fcfad6-d675-4f67-a53d-4cf7a58c7ada)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 380, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 411, in prepare_to_run_command
    self.client_manager.auth_ref
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/clientmanager.py", line 210, in auth_ref
    self._auth_ref = self.auth.get_auth_ref(self.session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/contrib/auth/v3/saml2.py", line 453, in get_auth_ref
    token, token_json = self._get_unscoped_token(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/contrib/auth/v3/saml2.py", line 427, in _get_unscoped_token
    self._send_idp_saml2_authn_request(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/contrib/auth/v3/saml2.py", line 305, in _send_idp_saml2_authn_request
    authenticated=False, log=False)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 675, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/session.py", line 40, in request
    resp = super(TimingSession, self).request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 570, in request
    raise exceptions.from_response(resp, method, url)
BadRequest: Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-44fcfad6-d675-4f67-a53d-4cf7a58c7ada)
clean_up IssueToken: Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-44fcfad6-d675-4f67-a53d-4cf7a58c7ada)
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 118, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 267, in run
    result = self.run_subcommand(remainder)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 153, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 380, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 411, in prepare_to_run_command
    self.client_manager.auth_ref
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/clientmanager.py", line 210, in auth_ref
    self._auth_ref = self.auth.get_auth_ref(self.session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/contrib/auth/v3/saml2.py", line 453, in get_auth_ref
    token, token_json = self._get_unscoped_token(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/contrib/auth/v3/saml2.py", line 427, in _get_unscoped_token
    self._send_idp_saml2_authn_request(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/contrib/auth/v3/saml2.py", line 305, in _send_idp_saml2_authn_request
    authenticated=False, log=False)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 675, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/session.py", line 40, in request
    resp = super(TimingSession, self).request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 570, in request
    raise exceptions.from_response(resp, method, url)
BadRequest: Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-44fcfad6-d675-4f67-a53d-4cf7a58c7ada)

END return value: 1

Tags:

Stanislav Kolenkin (skolenkin) on 2016-09-23

Changed in mos:
assignee:	nobody → MOS Keystone (mos-keystone)

Boris Bobrov (bbobrov) on 2016-09-23

summary:	- [keystone] v3unscopedsaml doesn't work in python-openstackclient-2.2.0 + v3unscopedsaml doesn't work in python-openstackclient-2.2.0
Changed in mos:
importance:	Undecided → Medium
status:	New → Confirmed

Vitaly Sedelnik (vsedelnik) on 2016-09-26

Changed in mos:
milestone:	none → 9.2
tags:	added: area-keystone

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.