yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1482701] Re: Federation: user's name in rules not respected

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1482701@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Jul 2016 16:58:55 -0000
Reply-to: Bug 1482701 <1482701@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/335617
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2042c955c81929deb47bc8cc77082b085faaa47d
Submitter: Jenkins
Branch:    master

commit 2042c955c81929deb47bc8cc77082b085faaa47d
Author: Roxana Gherle <roxana.gherle@xxxxxxx>
Date:   Wed Jun 29 11:21:13 2016 -0700

    Fix the username value in federated tokens
    
    Currently, in both unscoped and scoped federated tokens, the
    username value in the token is equal to the userid and not to
    the value of the username in the external identity provider.
    This makes WebSSO login to show the userid of the logged-in
    user in the Horizon dashboard, whereas before it was showing
    the actual user name.
    
    This patch fixes the value of the username in the federated
    tokens, which will fix the WebSSO issue as well, since Horizon
    looks at the username value and displays that as the logged-in user.
    
    Closes-Bug: #1597101
    Closes-Bug: #1482701
    Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1482701

Title:
  Federation: user's name in rules not respected

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  For a mapping rule  (see local's user name and user id are different)

  [
      {
          "local": [
              {
                  "group": {
                      "id": "852d0dc079cf4709813583e92498e625"
                  }
              },
              {
                  "user": {
                      "id": "marek",
                      "name": "federated_user"
                  }
              }
          ],
          "remote": [
              {
                  "any_one_of": [
                      "user1",
                      "admin"
                  ],
                  "type": "openstack_user"
              }
          ]
      }
  ]

  I can authenticate via federated workflow but the token JSON response
  has (see id and name are identical):

  u'user': {u'OS-FEDERATION': {u'groups': [{u'id': u'852d0dc079cf4709813583e92498e625'}],
                                           u'identity_provider': {u'id': u'keystone-idp'},
                                           u'protocol': {u'id': u'saml2'}},
                        u'domain': {u'id': u'Federated',
                                    u'name': u'Federated'},
                        u'id': u'marek',
                        u'name': u'marek'}}}

  This happens for both UUID and Fernet tokens.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1482701/+subscriptions

References

[Bug 1482701] [NEW] Federation: user's name in rules not respected
From: Marek Denis, 2015-08-07