When we tried to get unscoped token in Mitaka, we failed with the following trace:
[req-a3e0e824-2c97-466a-b4c2-38079b1f0fa9 - - - - -] Unable to find valid groups while using mapping ldap-map
Traceback (most recent call last):
File "/keystone/keystone/auth/plugins/mapped.py", line 67, in authenticate
self.identity_api)
File "/keystone/keystone/auth/plugins/mapped.py", line 160, in handle_unscoped_token
utils.validate_groups_cardinality(group_ids, mapping_id)
File "/keystone/keystone/federation/utils.py", line 259, in validate_groups_cardinality
raise exception.MissingGroups(mapping_id=mapping_id)
MissingGroups: Unable to find valid groups while using mapping ldap-map
(got the trace via additional logging). I.e. user with no groups was rejected to log in. I don't know a way to get scoped token without obtaining unscoped one first. If that is indeed impossible, than Mitaka is not affected.
On the other hand, merging the fix into Mitaka should not break anything.
Re if Mitaka is affected:
When we tried to get unscoped token in Mitaka, we failed with the following trace:
[req-a3e0e824- 2c97-466a- b4c2-38079b1f0f a9 - - - - -] Unable to find valid groups while using mapping ldap-map keystone/ auth/plugins/ mapped. py", line 67, in authenticate identity_ api) keystone/ auth/plugins/ mapped. py", line 160, in handle_ unscoped_ token validate_ groups_ cardinality( group_ids, mapping_id) keystone/ federation/ utils.py" , line 259, in validate_ groups_ cardinality MissingGroups( mapping_ id=mapping_ id)
Traceback (most recent call last):
File "/keystone/
self.
File "/keystone/
utils.
File "/keystone/
raise exception.
MissingGroups: Unable to find valid groups while using mapping ldap-map
(got the trace via additional logging). I.e. user with no groups was rejected to log in. I don't know a way to get scoped token without obtaining unscoped one first. If that is indeed impossible, than Mitaka is not affected.
On the other hand, merging the fix into Mitaka should not break anything.