yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1290258] Re: Group ids are not validated after SAML2->groups mapping and federated token scoping

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 26 Mar 2014 20:26:06 -0000
Reply-to: Bug 1290258 <1290258@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1290258

Title:
  Group ids are not validated after SAML2->groups mapping and federated
  token scoping

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  During federated authentication dedicated mechanism called RuleProcessor maps SAML2 parameters into Keystone groups. It's done by matching certain rules added by cloud administrators. However, Keystone doesn't check whether resulting groups are present in the backend. this may lead to errors  "mapping doesn't work as expected" due to a typo in the rule, or situations where group was deleted and admins are not aware of that fact.
  The fix should include a function that checks whether all the groups are present in the backend and if not log a warning and remove nonexisting groups from the list. The same policy should be applied when scoping federated unsoped token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1290258/+subscriptions

References

[Bug 1290258] [NEW] Group ids are not validated after SAML2->groups mapping and federated token scoping
From: Marek Denis, 2014-03-10