Federated users cannot log in if they are not members of projects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
django-openstack-auth |
Fix Released
|
High
|
Colleen Murphy |
Bug Description
If a federated user has a role in one or more domains but no roles in any projects, horizon prevents them from logging in, returning the message "You are not authorized for any projects or domains." This is misleading because the user is authorized for at least one domain. Moreover, federated users should be allowed to log in even if they are not authorized for any projects, just as non-federated users can.
Steps to reproduce:
1. Follow http://
2. Create a mapping that maps federated users to some keystone group.
3. Assign the group a role in a domain (and no roles in any projects).
4. Attempt to log into horizon using the federated authentication mechanism
Expected behavior:
User is allowed to log in and is presented with their dashboard.
Actual behavior:
User is forbidden from logging in with the misleading message "You are not authorized for any projects or domains."
Changed in django-openstack-auth: | |
assignee: | nobody → Colleen Murphy (krinkle) |
status: | New → In Progress |
Changed in django-openstack-auth: | |
importance: | Undecided → High |
Reviewed: https:/ /review. openstack. org/389337 /git.openstack. org/cgit/ openstack/ django_ openstack_ auth/commit/ ?id=ca3166707b2 b8d121d4bf75dce a32ddfd3a442f1
Committed: https:/
Submitter: Jenkins
Branch: master
commit ca3166707b2b8d1 21d4bf75dcea32d dfd3a442f1
Author: Colleen Murphy <email address hidden>
Date: Thu Oct 20 21:59:55 2016 +0200
Allow federated users to auth with domain scope
When a federated user logs in, openstack_auth receives an unscoped
token and no user_domain_name parameter. Currently, if the federated
user has a role in one or more domains, but no roles in any projects,
openstack_auth prevents authorization and denies the user's login with
the error "You are not authorized for any projects or domains." This is
a problem because first, it's inaccurate, as the user is authorized for
at least one domain, and second, a keystone administrator may want to
give federated users access to a domain without any projects in it, for
example so delegate the creation of projects to the federated users
themselves. This patch allows federated users without project roles to
log in by looking up domains as well as projects when attempting to
scope the token. This lookup is skipped if the domain was passed as
part of the request.
This patch also slightly restructures the OpenStackAuthTe stsWebSSO stsV3 tests because mox needs to simulate only one instance
and OpenStackAuthTe
of the plugin but two instances of the client objects for every call to
authenticate().
Closes-bug: #1649101
Change-Id: I151218ff28c072 8898ed5315d63dd 8122ce3b166