yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #62331
[Bug 1673157] [NEW] type: local must be set in order to get domain parse when mapping federated users
Public bug reported:
Both the identity specs[1] and the federation guide[2] are stating :
"Federated will be displayed if no domain is specified in the local
rule. User is deemed ephemeral and becomes a member of service domain
named Federated. If the domain is specified the local domain’s id will
be displayed."
I understand this as specifying a domain is enough for the user type to
be set as "local" by the mapping engine. However, with the current
implementation, setting a domain is useless unless "type" is set to
"local".
I believe the responsible code is here :
https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597
Is this an implementation issue or a documentation issue ?
TO REPRODUCE
============
$ cat input.txt
HTTP_OIDC_ISS: https://dummy/
$ # see the attached rules.json file
$ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt
{
"group_ids": [],
"user": {
"domain": {
"id": "targetdomain"
},
"type": "local",
"id": "test",
"name": "test"
},
"projects": [],
"group_names": []
}
$ # remove the line '"type": "local"' from rules.json
$ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt
{
"group_ids": [],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"id": "test",
"name": "test"
},
"projects": [],
"group_names": []
}
[1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api
[2] https://docs.openstack.org/developer/keystone/federation/federated_identity.html
** Affects: keystone
Importance: Undecided
Status: New
** Attachment added: "rules.json"
https://bugs.launchpad.net/bugs/1673157/+attachment/4838346/+files/rules.json
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1673157
Title:
type: local must be set in order to get domain parse when mapping
federated users
Status in OpenStack Identity (keystone):
New
Bug description:
Both the identity specs[1] and the federation guide[2] are stating :
"Federated will be displayed if no domain is specified in the local
rule. User is deemed ephemeral and becomes a member of service domain
named Federated. If the domain is specified the local domain’s id will
be displayed."
I understand this as specifying a domain is enough for the user type
to be set as "local" by the mapping engine. However, with the current
implementation, setting a domain is useless unless "type" is set to
"local".
I believe the responsible code is here :
https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597
Is this an implementation issue or a documentation issue ?
TO REPRODUCE
============
$ cat input.txt
HTTP_OIDC_ISS: https://dummy/
$ # see the attached rules.json file
$ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt
{
"group_ids": [],
"user": {
"domain": {
"id": "targetdomain"
},
"type": "local",
"id": "test",
"name": "test"
},
"projects": [],
"group_names": []
}
$ # remove the line '"type": "local"' from rules.json
$ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt
{
"group_ids": [],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"id": "test",
"name": "test"
},
"projects": [],
"group_names": []
}
[1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api
[2] https://docs.openstack.org/developer/keystone/federation/federated_identity.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1673157/+subscriptions
Follow ups
