yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1888412] [NEW] [RFE] Keystone identity mapping to support project definition as a JSON

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rafael Weingartner <1888412@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jul 2020 16:00:43 -0000
Reply-to: Bug 1888412 <1888412@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Problem Description
=================
This proposal depends on https://bugs.launchpad.net/keystone/+bug/1887515, which is the proposal that enhances the identity mapping schema management. Therefore, we first need to get that reviewed and merged.

Currently, the project assignment via the federated identity mapping is
rather static. This happens because of the find/replace mechanism that
we have in place there. Therefore, if the IdP provider generates an
attribute that contains a JSON with project definitions, we are not able
to handle it in Keystone.

This proposal introduces a new property in the federated identity
mapping schema called `projects_json`. In the schema, this property will
accept a JSON string, that defines all of the projects and their
specific roles that the user must receive when login-in to the OpenStack
platform. Moreover, when using this extension, roles (assigned to
projects) are added and removed on the fly.

Proposed Change
===============
The extension is quite straight forward. We created a new "federation_attribute_mapping_schema_version" version (1.2). This new version enables the handling of `project_json` in the attribute mapping.

Furthermore, we added code to handle the addition of extra roles for
projects and removal of roles that are present in OpenStack, but are not
in the IdP data. This is a mechanism to make the state of the OpenStack
federated user consistent with the Identity provider user attributes.

** Affects: keystone
     Importance: Undecided
     Assignee: Rafael Weingartner (rafaelweingartner)
         Status: In Progress

** Description changed:

  Problem Description
  =================
  This proposal depends on https://bugs.launchpad.net/keystone/+bug/1887515, which is the proposal that enhances the identity mapping schema management. Therefore, we first need to get that reviewed and merged.
  
  Currently, the project assignment via the federated identity mapping is
  rather static. This happens because of the find/replace mechanism that
  we have in place there. Therefore, if the IdP provider generates an
  attribute that contains a JSON with project definitions, we are not able
  to handle it in Keystone.
  
  This proposal introduces a new property in the federated identity
  mapping schema called `projects_json`. In the schema, this property will
  accept a JSON string, that defines all of the projects and their
  specific roles that the user must receive when login-in to the OpenStack
- platform. Moreover, when using this
+ platform. Moreover, when using this extension, roles (assigned to
+ projects) are added and removed on the fly.
  
  Proposed Change
  ===============
  The extension is quite straight forward. We created a new "federation_attribute_mapping_schema_version" version (1.2). This new version enables the handling of `project_json` in the attribute mapping.
  
  Furthermore, we added code to handle the addition of extra roles for
  projects and removal of roles that are present in OpenStack, but are not
  in the IdP data. This is a mechanism to make the state of the OpenStack
  federated user consistent with the Identity provider user attributes.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1888412

Title:
  [RFE] Keystone identity mapping to support project definition as a
  JSON

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Problem Description
  =================
  This proposal depends on https://bugs.launchpad.net/keystone/+bug/1887515, which is the proposal that enhances the identity mapping schema management. Therefore, we first need to get that reviewed and merged.

  Currently, the project assignment via the federated identity mapping
  is rather static. This happens because of the find/replace mechanism
  that we have in place there. Therefore, if the IdP provider generates
  an attribute that contains a JSON with project definitions, we are not
  able to handle it in Keystone.

  This proposal introduces a new property in the federated identity
  mapping schema called `projects_json`. In the schema, this property
  will accept a JSON string, that defines all of the projects and their
  specific roles that the user must receive when login-in to the
  OpenStack platform. Moreover, when using this extension, roles
  (assigned to projects) are added and removed on the fly.

  Proposed Change
  ===============
  The extension is quite straight forward. We created a new "federation_attribute_mapping_schema_version" version (1.2). This new version enables the handling of `project_json` in the attribute mapping.

  Furthermore, we added code to handle the addition of extra roles for
  projects and removal of roles that are present in OpenStack, but are
  not in the IdP data. This is a mechanism to make the state of the
  OpenStack federated user consistent with the Identity provider user
  attributes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1888412/+subscriptions