yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1878496] [NEW] RFE: Support for direct-mapping auto-provisioned project/role names

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jason Anderson <1878496@xxxxxxxxxxxxxxxxxx>
Date: Wed, 13 May 2020 22:08:48 -0000
Reply-to: Bug 1878496 <1878496@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

It is currently possible for an IdP to specify multiple values in an
assertion (e.g., for groups a user is a member of) and have each of
those values mapped to an individual entities. This allows to map a user
into multiple Keystone groups. However, this functionality does not yet
exist for the auto-provisioned Keystone projects. This RFE is for
extending this functionality so that multiple projects can be
provisioned if they are being mapped from a multi-value assertion.

Consider that a user is a member of several groups in the IdP, and you
want to provision one Keystone project per group. That is currently not
supported, though it is very similar to the group functionality.

This can be extended to project roles as well, though there will be a
limitation: since the roles themselves are not auto-provisioned, they
must already exist when the assertion is mapped. If the roles did exist,
though, the mapping would work fine.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1878496

Title:
  RFE: Support for direct-mapping auto-provisioned project/role names

Status in OpenStack Identity (keystone):
  New

Bug description:
  It is currently possible for an IdP to specify multiple values in an
  assertion (e.g., for groups a user is a member of) and have each of
  those values mapped to an individual entities. This allows to map a
  user into multiple Keystone groups. However, this functionality does
  not yet exist for the auto-provisioned Keystone projects. This RFE is
  for extending this functionality so that multiple projects can be
  provisioned if they are being mapped from a multi-value assertion.

  Consider that a user is a member of several groups in the IdP, and you
  want to provision one Keystone project per group. That is currently
  not supported, though it is very similar to the group functionality.

  This can be extended to project roles as well, though there will be a
  limitation: since the roles themselves are not auto-provisioned, they
  must already exist when the assertion is mapped. If the roles did
  exist, though, the mapping would work fine.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1878496/+subscriptions