yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82943
[Bug 1883247] [NEW] Able to assign users to projects/groups across different domains
Public bug reported:
I was reading https://wiki.openstack.org/wiki/Domains and Question number 2 piqued my interest.
Q: Will users of different domains be allowed within the same group?
A: Groups, as defined here, are bound to a domain. Only users of that domain can be a members of the groups defined in that domain
When playing around with federation I have been assigning shadow users from an IDP with a randomly generated domain to groups/projects in the default domain with no issues so far.
For example:
root@aio1:/home/ubuntu# openstack --insecure identity provider show keycloak-idp
+-------------+--------------------------------------------+
| Field | Value |
+-------------+--------------------------------------------+
| description | None |
| domain_id | 56e7f3e3d73c4ac7a20c52bf98f479bb |
| enabled | True |
| id | keycloak-idp |
| remote_ids | https://.... |
+-------------+--------------------------------------------+
root@aio1:/home/ubuntu# openstack --insecure user show ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
+---------------------+------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------+
| domain_id | 56e7f3e3d73c4ac7a20c52bf98f479bb |
| enabled | True |
| id | ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 |
| name | USERS_NAME |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------+
root@aio1:/home/ubuntu# openstack --insecure group show f44ba67a31ba40ec92590425441a13fd
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| id | f44ba67a31ba40ec92590425441a13fd |
| name | fedgroup |
+-------------+----------------------------------+
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 not in group fedgroup
root@aio1:/home/ubuntu# openstack --insecure group add user --group-
domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 in group fedgroup
So at this point I have established that I am able to add a user from
domain A into a group in domain B. Now I will try adding a user that
does exist within the groups domain and add them to the group to see if
they can coexist.
openstack --insecure user show test_local
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | 06679aa98a49412facb398a5f26d034a |
| domain_id | default |
| email | test_local@... |
| enabled | True |
| id | 6c66c22f687b4af69c34427f3ab348d6 |
| name | test_local |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
root@aio1:/home/ubuntu# openstack --insecure group add user --group-domain default --user-domain default fedgroup 6c66c22f687b4af69c34427f3ab348d6
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain default fedgroup 6c66c22f687b4af69c34427f3ab348d6
6c66c22f687b4af69c34427f3ab348d6 in group fedgroup
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 in group fedgroup
This disproves the answer given in the Q&A linked above.
I am also able to add users across domains into projects.
root@aio1:/home/ubuntu# openstack --insecure project show fedproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | default |
| enabled | True |
| id | 4ae204fe26cf47a380a814f1ca27f363 |
| is_domain | False |
| name | fedproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
openstack --insecure role add --project fedproject --project-domain
default --user
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 --user-
domain 56e7f3e3d73c4ac7a20c52bf98f479bb _member_
root@aio1:/home/ubuntu# openstack --insecure role assignment list --user ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| 77ac860ff6f1494a9c4246bafe3f7d25 | ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 | | 4ae204fe26cf47a380a814f1ca27f363 | | | False |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
This is a bug or can users from one domain be granted permissions in other domains?
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1883247
Title:
Able to assign users to projects/groups across different domains
Status in OpenStack Identity (keystone):
New
Bug description:
I was reading https://wiki.openstack.org/wiki/Domains and Question number 2 piqued my interest.
Q: Will users of different domains be allowed within the same group?
A: Groups, as defined here, are bound to a domain. Only users of that domain can be a members of the groups defined in that domain
When playing around with federation I have been assigning shadow users from an IDP with a randomly generated domain to groups/projects in the default domain with no issues so far.
For example:
root@aio1:/home/ubuntu# openstack --insecure identity provider show keycloak-idp
+-------------+--------------------------------------------+
| Field | Value |
+-------------+--------------------------------------------+
| description | None |
| domain_id | 56e7f3e3d73c4ac7a20c52bf98f479bb |
| enabled | True |
| id | keycloak-idp |
| remote_ids | https://.... |
+-------------+--------------------------------------------+
root@aio1:/home/ubuntu# openstack --insecure user show ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
+---------------------+------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------+
| domain_id | 56e7f3e3d73c4ac7a20c52bf98f479bb |
| enabled | True |
| id | ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 |
| name | USERS_NAME |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------+
root@aio1:/home/ubuntu# openstack --insecure group show f44ba67a31ba40ec92590425441a13fd
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| id | f44ba67a31ba40ec92590425441a13fd |
| name | fedgroup |
+-------------+----------------------------------+
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 not in group fedgroup
root@aio1:/home/ubuntu# openstack --insecure group add user --group-
domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 in group fedgroup
So at this point I have established that I am able to add a user from
domain A into a group in domain B. Now I will try adding a user that
does exist within the groups domain and add them to the group to see
if they can coexist.
openstack --insecure user show test_local
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | 06679aa98a49412facb398a5f26d034a |
| domain_id | default |
| email | test_local@... |
| enabled | True |
| id | 6c66c22f687b4af69c34427f3ab348d6 |
| name | test_local |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
root@aio1:/home/ubuntu# openstack --insecure group add user --group-domain default --user-domain default fedgroup 6c66c22f687b4af69c34427f3ab348d6
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain default fedgroup 6c66c22f687b4af69c34427f3ab348d6
6c66c22f687b4af69c34427f3ab348d6 in group fedgroup
root@aio1:/home/ubuntu# openstack --insecure group contains user --group-domain default --user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb fedgroup
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 in group fedgroup
This disproves the answer given in the Q&A linked above.
I am also able to add users across domains into projects.
root@aio1:/home/ubuntu# openstack --insecure project show fedproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | default |
| enabled | True |
| id | 4ae204fe26cf47a380a814f1ca27f363 |
| is_domain | False |
| name | fedproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
openstack --insecure role add --project fedproject --project-domain
default --user
ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
--user-domain 56e7f3e3d73c4ac7a20c52bf98f479bb _member_
root@aio1:/home/ubuntu# openstack --insecure role assignment list --user ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| 77ac860ff6f1494a9c4246bafe3f7d25 | ad7afe2105f12f3aae1b1bf40604030df9e3a4dd5338ce80bc7b6507e260f008 | | 4ae204fe26cf47a380a814f1ca27f363 | | | False |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
This is a bug or can users from one domain be granted permissions in other domains?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1883247/+subscriptions
