yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #72027
[Bug 1746599] Re: User email not being set for federated shadow users
Reviewed: https://review.openstack.org/549723
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=475ea454ee06d4b3cf4d423aa26b2432e5928767
Submitter: Zuul
Branch: master
commit 475ea454ee06d4b3cf4d423aa26b2432e5928767
Author: yangweiwei <yangweiwei@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Mar 22 19:26:08 2018 +0800
Fix user email in federated shadow users
When the federated rule contains 'email' in user and we should set
email for the federated user. Also, if the federated user changes the
email info, it should be chenged too.
Change-Id: Ib17172c34bd65d5236cbfc192b3a3f2b221411ef
Closes-Bug: #1746599
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1746599
Title:
User email not being set for federated shadow users
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
keystone version: openstack-keystone-12.0.0-1.el7.noarch (RPM
installed in a kolla container)
We are using OpenID Connect federation with the following mapping rules:
$ openstack mapping show map_rules -f json
{
"rules": [
{
"local": [
{
"user": {
"name": "{0}",
"email": "{4}"
}
},
{
"projects": [
{
"name": "{1}",
"roles": [
{
"name": "_member_"
}
]
}
]
}
],
"remote": [
{
"type": "OIDC-upn"
},
{
"type": "OIDC-name"
},
{
"type": "OIDC-given_name"
},
{
"type": "OIDC-family_name"
},
{
"type": "OIDC-unique_name"
}
]
}
],
"id": "map_rules"
}
Identity provider:
$ openstack identity provider show openid-lab
+-------------+---------------------------------------------------------------+
| Field | Value |
+-------------+---------------------------------------------------------------+
| description | None |
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| enabled | True |
| id | openid-lab |
| remote_ids | https://sts.windows.net/xxx-xxx-xxx-xxx/ |
+-------------+---------------------------------------------------------------+
Federation protocol:
$ openstack federation protocol show --identity-provider openid-lab openid
+---------+-----------+
| Field | Value |
+---------+-----------+
| id | openid |
| mapping | map_rules |
+---------+-----------+
What should happen:
I would expect the user to get created with the email set like this:
$ openstack user show dbe5470baecb47fa95f3e0512b0f5744
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| email | martin.chlumsky@xxxxxxxxxx |
| enabled | True |
| id | dbe5470baecb47fa95f3e0512b0f5744 |
| name | martin.chlumsky@xxxxxxxxxx |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
What happens:
The user email doesn't get added to the user:
$ openstack user show dbe5470baecb47fa95f3e0512b0f5744
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 98401b16aa754830aa7e3eab92e7603b |
| enabled | True |
| id | dbe5470baecb47fa95f3e0512b0f5744 |
| name | martin.chlumsky@xxxxxxxxxx |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
I can see the email property getting mapped correctly in the logs:
2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] rules: [{u'remote': [{u'type': u'OIDC-upn'}, {u'type': u'OIDC-name'}, {u'type': u'OIDC-given_name'}, {u'type': u'OIDC-family_n
ame'}, {u'type': u'OIDC-unique_name'}], u'local': [{u'user': {u'name': u'{0}', u'email': u'{4}'}}, {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/util
s.py:518
2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'martin.chlumsky@xxxxxxxxxx'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone
/federation/utils.py:816
2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/
utils.py:816
2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.py:
816
2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.p
y:816
2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'martin.chlumsky@xxxxxxxxxx'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone
/federation/utils.py:816
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'user': {u'name': u'{0}', u'email': u'{4}'}} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federati
on/utils.py:699
2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{0}', u'email': u'{4}'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py
:699
2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]} _update_local_mapping /usr/lib/python2.7/site-pa
ckages/keystone/federation/utils.py:699
2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{1}', u'roles': [{u'name': u'_member_'}]} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/f
ederation/utils.py:699
2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac
kages/keystone/federation/utils.py:698
2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'_member_'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py:699
2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] identity_values: [{u'user': {u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}}, {u'projects'
: [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:538
2018-01-31 20:51:05.126 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []} process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:540
2018-01-31 20:51:05.126 19 INFO keystone.auth.plugins.mapped [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] bifbaz: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'martin.chlumsky@xxxxxxxxxx', u'email': u'martin.chlumsky@xxxxxxxxxx'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1746599/+subscriptions
References
