yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25640
[Bug 1390085] Re: if REMOTE_USER is returned from apache plugin, it shouldn't need to be mapped
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1390085
Title:
if REMOTE_USER is returned from apache plugin, it shouldn't need to be
mapped
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
With mod_auth_openidc (and many other apache plugins) the authN'ed
user name is set in the REMOTE_USER field of the environment. The
current code somewhat accounts for this, but the value is in the end,
ignored. The user still needs to have a map that sets the user name.
For instance, the following mapping:
[
{
"local": [
{
"user": {
"name": "{0}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
}
]
},
{
"local": [
{
"group": {
"id": "238c44612bcb411f86503cd2f91fd5db"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"accounts.google.com"
]
}
]
}
]
should be reduced to just, since the username is set in the REMOTE_USER field.
[
{
{
"local": [
{
"group": {
"id": "238c44612bcb411f86503cd2f91fd5db"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"accounts.google.com"
]
}
]
}
]
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1390085/+subscriptions
References
