yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1645910] Re: Trust creation for SSO users fails in assert_user_enabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 07 Mar 2017 20:44:02 -0000
Reply-to: Bug 1645910 <1645910@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

With https://review.openstack.org/#/c/399684/ implemented, this should
no longer be an issue. Federated users should resolve to a domain, and
in the default case, the domain of the identity provider. This is the
behavior as of the Ocata release.

** Changed in: keystone
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1645910

Title:
  Trust creation for SSO users fails in assert_user_enabled

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Openstack version: Mitaka
  Operation: Heat stack/trust creation for SSO users

  For SSO users, keystone trust creation workflow fails while asserting
  that the user is enabled.

  The assert_user_enabled() function in keystone/identity/core.py fails at the below line:
      self.resource_api.assert_domain_enabled(user['domain_id'])

  Since user['domain_id'] throws a KeyError for federated users, this
  function raises an exception. To avoid this failure, we should invoke
  assert_domain_enabled() check conditionally only for local users.

  Proposing to add a 'is_local' user flag to distinguish between local
  and federated users so that we can conditionally assert the user
  domain and do other such things.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1645910/+subscriptions

References

[Bug 1645910] [NEW] Trust creation for SSO users fails in assert_user_enabled
From: Pooja Ghumre, 2016-11-29