[19.04] idp protocol names from keystone-fid-service-provider relation data are not added to authentication methods
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Fix Released
|
High
|
David Ames |
Bug Description
'mapped' is an authentication plugin name which is also used as a protocol name in OpenStack documentation. Protocol names need to be added as "methods" into keystone.conf and the charm currently hard-codes 'mapped' as if it was the only protocol to be supported (the confusion comes from the fact that authentication plugins are usually listed there).
"Configure authentication drivers in keystone.conf by adding the authentication methods to the [auth] section in keystone.conf. Ensure the names are the same as to the protocol names added via Identity API v3."
"saml2 and openid are instances of the mapped plugin. These must match the name of the of the federation protocol created via the Identity API. The other names in the example are not related to federation."
Usage examples in unit tests:
https:/
There is nothing preventing us from supporting other names and specifying something like this:
methods = external,
Besides use-cases like SAML or OIDC the "mapped" authentication plugin is also used for tokenless x509 auth which relies on a section that specifies the protocol as well:
[tokenless_
# ...
protocol = x509
So, changing the current code to avoid hardcoding 'mapped' and 'openid' and only adding protocol names if charm-keystone is related to other charms like keystone-
description: | updated |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
Fix proposed to branch: master /review. opendev. org/657562
Review: https:/