yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2039269] [NEW] Implement full_match mapping compination matching rule

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Aliaksandr Vasiuk <2039269@xxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Oct 2023 10:46:36 -0000
Reply-to: Bug 2039269 <2039269@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Hello,

As a OpenStack administrator I would like to federate flexible access policies to Openstack projects from identity provider.
For example, I have projects Green and Red, and Admin and User roles. From identity provider Keystone receives an array like: "Green_Admin;Red_User". And there is no way to specify rule "If idp gives Green_Admin and Red_User then set role Admin for project Green, and role User for project Red".

I tried to implement "full match" logic with something like:
any_one_of: Green_Admin
any_one_of: Red_User
not_any_of: Green_User, Red_Admin
But in real life example with a dozen of projects and several roles I ended up with 50MB mappings JSON that Keystone can't accept.

Best Regards,
Alex.

** Affects: keystone
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2039269

Title:
Implement full_match mapping compination matching rule

Status in OpenStack Identity (keystone):
New

Bug description:
Hello,

Best Regards,
Alex.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2039269/+subscriptions