Group ids are not validated after SAML2->groups mapping and federated token scoping
Bug #1290258 reported by
Marek Denis
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Marek Denis |
Bug Description
During federated authentication dedicated mechanism called RuleProcessor maps SAML2 parameters into Keystone groups. It's done by matching certain rules added by cloud administrators. However, Keystone doesn't check whether resulting groups are present in the backend. this may lead to errors "mapping doesn't work as expected" due to a typo in the rule, or situations where group was deleted and admins are not aware of that fact.
The fix should include a function that checks whether all the groups are present in the backend and if not log a warning and remove nonexisting groups from the list. The same policy should be applied when scoping federated unsoped token.
Changed in keystone: | |
assignee: | nobody → Marek Denis (marek-denis) |
Changed in keystone: | |
milestone: | none → icehouse-rc1 |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | Marek Denis (marek-denis) → David Stanek (dstanek) |
Changed in keystone: | |
assignee: | David Stanek (dstanek) → Marek Denis (marek-denis) |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/79284
Review: https:/