yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1855869] [NEW] federation role mapping does not add users to groups

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Robert Duncan <rduncan@xxxxxxxx>
Date: Tue, 10 Dec 2019 11:35:19 -0000
Reply-to: Bug 1855869 <1855869@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

I'm using AzureAD and keystone oidc 
mapping remote users into local groups does not work as expected.
I'm using the auto generated domain for ephemeral cloud users, a remote attribute of OIDC_DEPARTMENT is used for mapping federated users to local groups, the groups and projects have been created in the default domain, users should inherit the roles of their mapped group or in other words "group based role based access".

my expectation when following the docs for oidc or openid or mapped is that users inherit roles of their mapped groups
how to reproduce

1 - create idp
2 - create protocol
3 - create mapping
4 - create project
5 - create group
6 - assign group to project
7 - assign roles to group in project

WEB SSO is working and a certain amount of the mapping seems to be
working, for example if I grant group access to a project, the federated
user will be granted access to the project in horizon - but they won't
inherit the roles of that group, i.e. they will not become group members

in Horizon >> Identity >> Users (Select a federated User) >> Groups (no groups)
In Horizon >> Identity >> Groups >> Members (no members)

Is this intended? The federated users domain id is the auto generated
federation domain, but I am mapping them into Default domain / project /
group

here is the mapping from oidc group to openstack group

{
  "rules": [
    {
      "local": [
        {
          "group": {
            "domain": {
              "name": "Default"
            },
            "name": "itdept"
          },
          "user": {
            "name": "{0}",
            "email": "{1}"
          }
        }
      ],
      "remote": [
        {
          "type": "HTTP_OIDC_EMAIL"
        },
        {
          "type": "HTTP_OIDC_EMAIL"
        },
        {
          "type": "HTTP_OIDC_DEPARTMENT",
          "any_one_of": [
            "7050",
            "7051"
          ]
        }
      ]
    }

There is nothing in the mapping regarding projects as I would not like
to use such a mechanism for simple access to projects, but if I assign
the local group to another project then I *can* switch to that project
in horizon - but, I do not have the roles of the group, I have the
member role only - I'm guessing because this is bestowed by default or
by horizon.

So in summary
Configured a working SSO 
- users not being added to groups, seems to be ephemeral
- Users do inherit groups projects, so project enrolment works as expected
- User do not inherit groups roles on projects

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1855869

Title:
  federation role mapping does not add users to groups

Status in OpenStack Identity (keystone):
  New

Bug description:
  I'm using AzureAD and keystone oidc 
  mapping remote users into local groups does not work as expected.
  I'm using the auto generated domain for ephemeral cloud users, a remote attribute of OIDC_DEPARTMENT is used for mapping federated users to local groups, the groups and projects have been created in the default domain, users should inherit the roles of their mapped group or in other words "group based role based access".

  my expectation when following the docs for oidc or openid or mapped is that users inherit roles of their mapped groups
  how to reproduce

  1 - create idp
  2 - create protocol
  3 - create mapping
  4 - create project
  5 - create group
  6 - assign group to project
  7 - assign roles to group in project

  WEB SSO is working and a certain amount of the mapping seems to be
  working, for example if I grant group access to a project, the
  federated user will be granted access to the project in horizon - but
  they won't inherit the roles of that group, i.e. they will not become
  group members

  in Horizon >> Identity >> Users (Select a federated User) >> Groups (no groups)
  In Horizon >> Identity >> Groups >> Members (no members)

  Is this intended? The federated users domain id is the auto generated
  federation domain, but I am mapping them into Default domain / project
  / group

  here is the mapping from oidc group to openstack group

  {
    "rules": [
      {
        "local": [
          {
            "group": {
              "domain": {
                "name": "Default"
              },
              "name": "itdept"
            },
            "user": {
              "name": "{0}",
              "email": "{1}"
            }
          }
        ],
        "remote": [
          {
            "type": "HTTP_OIDC_EMAIL"
          },
          {
            "type": "HTTP_OIDC_EMAIL"
          },
          {
            "type": "HTTP_OIDC_DEPARTMENT",
            "any_one_of": [
              "7050",
              "7051"
            ]
          }
        ]
      }

  There is nothing in the mapping regarding projects as I would not like
  to use such a mechanism for simple access to projects, but if I assign
  the local group to another project then I *can* switch to that project
  in horizon - but, I do not have the roles of the group, I have the
  member role only - I'm guessing because this is bestowed by default or
  by horizon.

  So in summary
  Configured a working SSO 
  - users not being added to groups, seems to be ephemeral
  - Users do inherit groups projects, so project enrolment works as expected
  - User do not inherit groups roles on projects

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1855869/+subscriptions
Follow ups

[Bug 1855869] Re: federation role mapping does not add users to groups
From: Launchpad Bug Tracker, 2020-03-14