yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79017
[Bug 1834009] [NEW] Trust API does not support delegating federated roles (roles obtained from federated groups)
Public bug reported:
When a trust is created a trustor user is required to have a role on a
project in question. This is verified via a call to the keystone
database without looking at roles that can be inferred from federated
groups present in a token.
In this scenario a federated user does not have any direct role
assignments in the Keystone database - only the ones that can be
inferred from federated group membership.
https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L141
https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L172-L178
A call to /v3/auth/tokens which verifies that "roles" for groups present in "OS-FEDERATION" section are properly populated:
http://paste.openstack.org/show/753298/
"roles": [
{
"id": "e4ab04a7c6ec4c91a826b2a3ba333407",
"domain_id": null,
"name": "Member"
}
# ...
"user": {
"OS-FEDERATION": {
"identity_provider": {
"id": "adfs"
},
"protocol": {
"id": "mapped"
},
"groups": [
{
"id": "7594d86688c54ee2aab4c9df020f5468"
}
]
},
This bug is similar to this one for application credentials:
https://bugs.launchpad.net/keystone/+bug/1832092
Users, Member role and role assignments:
http://paste.openstack.org/show/753300/
The issue was discovered while troubleshooting "Error: ERROR: Missing
required credential: roles [u'Member']" showed by heat dashboard during
a stack creation:
http://paste.openstack.org/show/753301/ (heat API rpdb trace where a
Keystone trust API call is made)
Keystone side:
http://paste.openstack.org/show/753302/ (keystone trust API rpdb trace)
** Affects: keystone
Importance: Undecided
Status: New
** Tags: cpe-onsite
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1834009
Title:
Trust API does not support delegating federated roles (roles obtained
from federated groups)
Status in OpenStack Identity (keystone):
New
Bug description:
When a trust is created a trustor user is required to have a role on a
project in question. This is verified via a call to the keystone
database without looking at roles that can be inferred from federated
groups present in a token.
In this scenario a federated user does not have any direct role
assignments in the Keystone database - only the ones that can be
inferred from federated group membership.
https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L141
https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L172-L178
A call to /v3/auth/tokens which verifies that "roles" for groups present in "OS-FEDERATION" section are properly populated:
http://paste.openstack.org/show/753298/
"roles": [
{
"id": "e4ab04a7c6ec4c91a826b2a3ba333407",
"domain_id": null,
"name": "Member"
}
# ...
"user": {
"OS-FEDERATION": {
"identity_provider": {
"id": "adfs"
},
"protocol": {
"id": "mapped"
},
"groups": [
{
"id": "7594d86688c54ee2aab4c9df020f5468"
}
]
},
This bug is similar to this one for application credentials:
https://bugs.launchpad.net/keystone/+bug/1832092
Users, Member role and role assignments:
http://paste.openstack.org/show/753300/
The issue was discovered while troubleshooting "Error: ERROR: Missing
required credential: roles [u'Member']" showed by heat dashboard
during a stack creation:
http://paste.openstack.org/show/753301/ (heat API rpdb trace where a
Keystone trust API call is made)
Keystone side:
http://paste.openstack.org/show/753302/ (keystone trust API rpdb trace)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1834009/+subscriptions
