yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1290258] [NEW] Group ids are not validated after SAML2->groups mapping and federated token scoping

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Marek Denis <marek.denis@xxxxxxx>
Date: Mon, 10 Mar 2014 08:46:35 -0000
Reply-to: Bug 1290258 <1290258@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

During federated authentication dedicated mechanism called RuleProcessor maps SAML2 parameters into Keystone groups. It's done by matching certain rules added by cloud administrators. However, Keystone doesn't check whether resulting groups are present in the backend. this may lead to errors "mapping doesn't work as expected" due to a typo in the rule, or situations where group was deleted and admins are not aware of that fact.
The fix should include a function that checks whether all the groups are present in the backend and if not log a warning and remove nonexisting groups from the list. The same policy should be applied when scoping federated unsoped token.

** Affects: keystone
Importance: Undecided
Assignee: Marek Denis (marek-denis)
Status: New

** Changed in: keystone
Assignee: (unassigned) => Marek Denis (marek-denis)

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1290258

Title:
Group ids are not validated after SAML2->groups mapping and federated
token scoping

Status in OpenStack Identity (Keystone):
New

Bug description:
During federated authentication dedicated mechanism called RuleProcessor maps SAML2 parameters into Keystone groups. It's done by matching certain rules added by cloud administrators. However, Keystone doesn't check whether resulting groups are present in the backend. this may lead to errors "mapping doesn't work as expected" due to a typo in the rule, or situations where group was deleted and admins are not aware of that fact.
The fix should include a function that checks whether all the groups are present in the backend and if not log a warning and remove nonexisting groups from the list. The same policy should be applied when scoping federated unsoped token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1290258/+subscriptions

Follow ups

[Bug 1290258] Re: Group ids are not validated after SAML2->groups mapping and federated token scoping
From: Thierry Carrez, 2014-03-26
[Bug 1290258] [NEW] Group ids are not validated after SAML2->groups mapping and federated token scoping
From: Marek Denis, 2014-03-10

References

[Bug 1290258] [NEW] Group ids are not validated after SAML2->groups mapping and federated token scoping
From: Marek Denis, 2014-03-10