← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #77914

[Bug 1823847] [NEW] Multiple rules in a mapping is not working with type: "local" attribute

  Thread PreviousDate PreviousThread Next 
Public bug reported:

We have a requirement in which we want to setup an external Identity provider with keystone federation for SSO.
I have added two rules in a mapping which will match to below criteria and added this mapping to OS_FEDERATION identity provider.
Rule 1. If user already exists in keystone, it should not create a new ephemeral user.
Rule 2. If user is not found in keystone, it should create a new user in SSO federated domain.

Problem:
If user is not present already, it should match second rule and new user should be created. But its throwing Unauthorized Error.
I think, with type:"local" specified, it will throw Unauthorized error even if there are multiple rules for a given mapping.
With multiple rules specified, it should try to match the a rule in an order which is not working as expected

Have attached mapping object for reference.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: federation

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1823847

Title:
  Multiple rules in a mapping is not working with type: "local"
  attribute

Status in OpenStack Identity (keystone):
  New

Bug description:
  We have a requirement in which we want to setup an external Identity provider with keystone federation for SSO.
  I have added two rules in a mapping which will match to below criteria and added this mapping to OS_FEDERATION identity provider.
  Rule 1. If user already exists in keystone, it should not create a new ephemeral user.
  Rule 2. If user is not found in keystone, it should create a new user in SSO federated domain.

  Problem:
  If user is not present already, it should match second rule and new user should be created. But its throwing Unauthorized Error.
  I think, with type:"local" specified, it will throw Unauthorized error even if there are multiple rules for a given mapping.
  With multiple rules specified, it should try to match the a rule in an order which is not working as expected

  Have attached mapping object for reference.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1823847/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next