Bug 1415898

Summary: keystoneauth generates invalid Accept HTTP header Edit
Product: Red Hat OpenStack Reporter: John Dennis <jdennis>
Component: python-keystoneauth1Assignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Rodrigo Duarte <rduartes>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: apevec, jdennis, jschluet, lhh, mlopes, rduartes
Target Milestone: z2Keywords: ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-keystoneauth1-2.12.2-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-01 13:38:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Dennis 2017-01-24 02:55:39 UTC 
During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

The irony is this issue was originally reported here:
https://bugs.launchpad.net/python-keystoneclient/+bug/1488722

And merged here:
https://review.openstack.org/#/c/217450/

But this was done about the time all the client libs and openstack client were being developed and Jamie Lenox noted the fix needs to be merged at some point in that code, but as far as I can tell that work was abandoned when the branch was abandoned.

All of this is to say we need to apply the same trivial 1 character fix to keystoneauth that was lost along the way.
Comment 1 John Dennis 2017-01-24 02:58:49 UTC 
Merged upstream in:

master: b1301e606d29a99da9c81d4c1627a6bba4b0ddcc

stable/newton: 13b0e07b7ba58dcc1b743815743c655701d7b206

Already present in stable/ocata when branched from master.
Comment 2 John Dennis 2017-01-24 03:01:01 UTC 
Patch is necessary to make Keystone federation work.
Comment 3 John Dennis 2017-01-24 03:04:19 UTC 
Upstream gerrit review for master is:
https://review.openstack.org/#/c/420970/

Upstream gerrit review for stable/newton is:
https://review.openstack.org/#/c/421411/
Comment 7 Rodrigo Duarte 2017-02-21 23:28:48 UTC 
verified for python-keystoneauth1-2.18.0


- try to use the v3samlpasswrod plugin:

$ openstack --debug --insecure --os-auth-url https://10.0.0.101:13000/v3 --os-identity-api-version 3 --os-auth-type v3samlpassword ...

- digging up in the logs, we can find 'Accept': '*/*,application/vnd.paos+xml', the header is correctly using , instead of ;
Comment 9 errata-xmlrpc 2017-03-01 13:38:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0355.html
Comment 10 Red Hat Bugzilla 2023-09-14 03:52:38 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days