OpenStack Identity (keystone)

Implement full_match mapping compination matching rule

Bug #2039269 reported by Aliaksandr Vasiuk on 2023-10-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Wishlist	Unassigned

Bug Description

Hello,

As a OpenStack administrator I would like to federate flexible access policies to Openstack projects from identity provider.
For example, I have projects Green and Red, and Admin and User roles. From identity provider Keystone receives an array like: "Green_Admin;Red_User". And there is no way to specify rule "If idp gives Green_Admin and Red_User then set role Admin for project Green, and role User for project Red".

I tried to implement "full match" logic with something like:
any_one_of: Green_Admin
any_one_of: Red_User
not_any_of: Green_User, Red_Admin
But in real life example with a dozen of projects and several roles I ended up with 50MB mappings JSON that Keystone can't accept.

Best Regards,
Alex.

David Wilde (dave-wilde) on 2023-11-08

Changed in keystone:
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.