yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #66526
[Bug 1673157] Re: type: local must be set in order to get domain parsed when mapping federated users
Reviewed: https://review.openstack.org/491478
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d10908caa9909b9f178a59551f004a80a722cf2e
Submitter: Jenkins
Branch: master
commit d10908caa9909b9f178a59551f004a80a722cf2e
Author: Colleen Murphy <colleen.murphy@xxxxxxxx>
Date: Mon Aug 7 14:17:20 2017 +0200
Document required `type` mapping attribute
In order for a federated user to be mapped to a local user that exists
in the identity backend, the user object in the local mapping rule must
have the property "type": "local" set, in addition to having a keystone
domain provided. This was probably not the original intention of the
local user mapping spec[1], but this is how it ended up being
implemented. We could choose to change the behavior of the code, but
it has been around long enough that it is possible that deployments are
depending on this behavior, and moreover making rules explicit rather
than implicit reduces the risk of bugs and mistakes.
This patch updates the api-ref documentation and the standard federation
documentation to include the "type" property when mapping to local
users. In addition, since we now have two keywords called "local" that
mean somewhat different things, we expand the context of some of the
mapping examples so that both the rule name "local" and the value
"local" of the attribute "type" appear in the example, for clarity.
Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884
Closes-bug: #1673157
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1673157
Title:
type: local must be set in order to get domain parsed when mapping
federated users
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
Both the identity specs[1] and the federation guide[2] are stating :
"Federated will be displayed if no domain is specified in the local
rule. User is deemed ephemeral and becomes a member of service domain
named Federated. If the domain is specified the local domain’s id will
be displayed."
I understand this as specifying a domain is enough for the user type
to be set as "local" by the mapping engine. However, with the current
implementation, setting a domain is useless unless "type" is set to
"local".
I believe the responsible code is here :
https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597
Is this an implementation issue or a documentation issue ?
TO REPRODUCE
============
$ cat input.txt
HTTP_OIDC_ISS: https://dummy/
$ # see the attached rules.json file
$ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt
{
"group_ids": [],
"user": {
"domain": {
"id": "targetdomain"
},
"type": "local",
"id": "test",
"name": "test"
},
"projects": [],
"group_names": []
}
$ # remove the line '"type": "local"' from rules.json
$ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt
{
"group_ids": [],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"id": "test",
"name": "test"
},
"projects": [],
"group_names": []
}
[1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api
[2] https://docs.openstack.org/developer/keystone/federation/federated_identity.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1673157/+subscriptions
References
