yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1173315] Re: support for role_name_attribute mapping in folsom

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1173315@xxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Jun 2013 13:28:10 -0000
Reply-to: Bug 1173315 <1173315@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This looks to be configurable in grizzly, but doesn't look to be
backportable to folsom, as we can't backport features.

** Changed in: keystone
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1173315

Title:
  support for role_name_attribute mapping in folsom

Status in OpenStack Identity (Keystone):
  Won't Fix

Bug description:
  Use of role_name_attribute parameter in keystone.conf is not supported
  in Folsom, preventing the ability to override the default value of
  'cn'.  In LDAP where the role name is stored under a different
  attribute, 'ou' for example, Keystone is unable locate the admin role.

  Adding support for role_name_attribute will enhance the usability of
  keystone with LDAP.

  Example of keystone role-list current behavior when the role name is
  stored in the 'ou' attribute.

  +----------------------------------+----------------------------------+
  |                id                |               name               |
  +----------------------------------+----------------------------------+
  | 05687c1bc1e548fabbf1dfb423129c57 | 05687c1bc1e548fabbf1dfb423129c57 |
  | 7a8f9bd7b28f4b11bb6b39b1e5365b89 | 7a8f9bd7b28f4b11bb6b39b1e5365b89 |
  +----------------------------------+----------------------------------+

  Example of keystone role-list when role_name_attribute is supported
  and mapped to 'ou'

  +----------------------------------+-------+
  |                id                |  name |
  +----------------------------------+-------+
  | 05687c1bc1e548fabbf1dfb423129c57 | admin |
  | 7a8f9bd7b28f4b11bb6b39b1e5365b89 |  user |
  +----------------------------------+-------+

  To add support make the following changes:

  /opt/stack/keystone/keystone/config.py (in devstack build.  Will be
  located elsewhere in an OpenStack build)

  register_str('role_tree_dn', group='ldap', default=None)
  register_str('role_objectclass', group='ldap', default='organizationalRole')
  register_str('role_id_attribute', group='ldap', default='cn')
  register_str('role_member_attribute', group='ldap', default='roleOccupant')
  register_str('role_name_attribute', group='ldap', default='ou')                                <== Add

  
  /opt/stack/keystone/keystone/identity/backends/ldap/core.py (in devstack build.  Will be located elsewhere in an OpenStack build)

  class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
      DEFAULT_OU = 'ou=Roles'
      DEFAULT_STRUCTURAL_CLASSES = []
      options_name = 'role'
      DEFAULT_OBJECTCLASS = 'organizationalRole'
      DEFAULT_MEMBER_ATTRIBUTE = 'roleOccupant'
      attribute_mapping = {'name': 'cn',
                           #'serviceId': 'service_id',
                           }
      model = models.Tenant

      def __init__(self, conf):
          super(RoleApi, self).__init__(conf)
          self.api = ApiShim(conf)
          self.attribute_mapping['name'] = conf.ldap.role_name_attribute                 <== Add
          self.member_attribute = (getattr(conf.ldap, 'role_member_attribute')
                                   or self.DEFAULT_MEMBER_ATTRIBUTE)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1173315/+subscriptions