OpenStack Identity (keystone)

Mapping openstack_project attribute in k2k assertions with different domains

Bug #1442343 reported by Iury Gregory Melo Ferreira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Rodrigo Duarte
OpenStack Identity (keystone) 8.0.0 "liberty"
Kilo
Fix Released
Undecided
Unassigned
OpenStack Identity (keystone) 2015.1.1

Bug Description

We can have two projects with the same name in different domains. So if we have a "Project A" in "Domain X" and a "Project A" in "Domain Y", there is no way to differ what "Project A" is being used in a SAML assertion generated by this IdP (we have only the openstack_project attribute in the SAML assertion).

See original description
Rodrigo Duarte (rodrigodsousa)
description: updated
Rodrigo Duarte (rodrigodsousa)
description: updated
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

We need to include the domain information in the assertion and/or the entire hierarchy (reseller).

tags: added: kilo-rc-potential
Revision history for this message
Adam Young (ayoung) wrote :

Assertions need not just the project name, but the domain and all parent projects.

Lance Bragstad (lbragstad)
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/172536

Changed in keystone:
assignee: nobody → Rodrigo Duarte (rodrigodsousa)
status: Triaged → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

Changing this to Wishlist for the reasoning described in a related bug: https://bugs.launchpad.net/keystone/+bug/1442787/comments/2

Changed in keystone:
importance: Medium → Wishlist
Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

As per the comment in the related bug report, we can't address this issue by some workaround in the mapping rules. The possibility to map different entities from the IdP in the same local entity in the SP can only be fixed by providing all information necessary to differ the IdP entities (in the case of project: project name and project's domain name or project id).

Rodrigo Duarte (rodrigodsousa)
tags: added: security
Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

created a spec for this new attributes: https://review.openstack.org/#/c/174462/

Thierry Carrez (ttx)
tags: removed: kilo-rc-potential
Brant Knudson (blk-u)
tags: added: kilo-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/172536
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fa844bc88edb417f9513d19c749886a61d7b26ce
Submitter: Jenkins
Branch: master

commit fa844bc88edb417f9513d19c749886a61d7b26ce
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 14:59:34 2015 -0300

    Add openstack_project_domain to assertion

    Currently, a keystone IdP does not provide the domain of the project
    when generating SAML assertions. Since it is possible to have two
    projects with the same name but in different domains, this patch
    adds an additional attribute called "openstack_project_domain"
    in the assertion to identify the domain of the project.

    Closes-Bug: 1442343
    bp assertion-extra-attributes

    Change-Id: I62ed73d87f268c73294738845421deb87088326b

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/179195

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/179195
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c0bf69ceff55d81054a61123cccabb721b96b09
Submitter: Jenkins
Branch: stable/kilo

commit 0c0bf69ceff55d81054a61123cccabb721b96b09
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 14:59:34 2015 -0300

    Add openstack_project_domain to assertion

    Currently, a keystone IdP does not provide the domain of the project
    when generating SAML assertions. Since it is possible to have two
    projects with the same name but in different domains, this patch
    adds an additional attribute called "openstack_project_domain"
    in the assertion to identify the domain of the project.

    Closes-Bug: 1442343
    bp assertion-extra-attributes

    Change-Id: I62ed73d87f268c73294738845421deb87088326b
    (cherry picked from commit fa844bc88edb417f9513d19c749886a61d7b26ce)

tags: added: in-stable-kilo
Doug Hellmann (doug-hellmann)
Changed in keystone:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-1 → 8.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.