yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #65933
[Bug 1694589] Re: Federation protocol creation gives error
I am still unable to create this the directions supplied in the
description. I started with a fresh installation and did the following:
1.) installed keystone from source @ 239bc3627cfb0546148e9d496f9e1536057052a7
2.) recreated the database and populated it with data
3.) source the administrator's account
$ source rcfiles/adminrc
$ cat rcfiles/adminrc
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_PROJECT_NAME=admin
export OS_DEFAULT_DOMAIN=default
4.) created a federated domain
$ openstack domain create federated_domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 50dfec355794433f8c88fdc69b836d25 |
| name | federated_domain |
+-------------+----------------------------------+
5.) created a group for federated users
$ openstack group create federated_users
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| id | c309cb3466854b61b6616fa68694040f |
| name | federated_users |
+-------------+----------------------------------+
6.) granted the federated group the admin role on the federated domain
$ openstack role add --group federated_users --domain federated_domain admin
$ openstack role assignment list -f yaml --names
- Domain: ''
Group: ''
Inherited: false
Project: admin@Default
Role: admin
User: admin@Default
- Domain: federated_domain
Group: federated_users@Default
Inherited: false
Project: ''
Role: admin
User: ''
7.) created an identity provider
$ openstack identity provider create --remote-id https://accounts.google.com myidp
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | 6079116d115d407a94bb6ad109305e43 |
| enabled | True |
| id | myidp |
| remote_ids | https://accounts.google.com |
+-------------+----------------------------------+
8.) created a mapping
$ cat rules.json
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
}
]
}
]
$ openstack mapping create --rules rules.json myidp_mapping
+-------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+--------------------------------------------------------------------------------------------------------------------------+
| id | myidp_mapping |
| rules | [{u'remote': [{u'type': u'HTTP_OIDC_EMAIL'}], u'local': [{u'group': {u'domain': {u'name': u'Default'}, u'name': |
| | u'federated_users'}, u'user': {u'name': u'{0}'}}]}] |
+-------+--------------------------------------------------------------------------------------------------------------------------+
9.) create a protocol
$ openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp
+-------------------+---------------+
| Field | Value |
+-------------------+---------------+
| id | mapped |
| identity_provider | myidp |
| mapping | myidp_mapping |
+-------------------+---------------+
I was able to delete and recreate the mapping without issue. Is there something in a separate rules file when creating the second mapping?
Marking this as invalid for now. Please feel free to reopen if there is
more information that helps clarify how to recreate this.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1694589
Title:
Federation protocol creation gives error
Status in OpenStack Identity (keystone):
Invalid
Bug description:
I am trying to configure OIDC with keystone.
I have followed the below steps to create the federated resources.
source accr/admin/admin
export OS_IDENTITY_API_VERSION=3
openstack domain create federated_domain
openstack group create federated_users
openstack role add --group federated_users --domain federated_domain admin
openstack identity provider create --remote-id https://accounts.google.com myidp
export remote_type=HTTP_OIDC_EMAIL
cat > rules.json <<EOF
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"domain": {
"name": "Default"
},
"name": "federated_users"
}
}
],
"remote": [
{
"type": "${remote_type}"
}
]
}
]
EOF
openstack mapping create --rules rules.json myidp_mapping
however the step to create the federation protocol is giving me errors
openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp
I'm getting the below error:
string indices must be integers (HTTP 400) (Request-ID: req-85e59791-fc09-49ab-9204-4363b12f95e1)
The first time i created a mapping and a protocol things were fine.
But when i deleted the older mapping and re-created new rules for
mapping and tried creating the protocol, i got the above error
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1694589/+subscriptions
References
