openstack-api-site

Add user objects to mapping rules examples in OS-FEDERATION docs

Bug #1312221 reported by Marek Denis
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-api-site
Fix Released
Medium
Marek Denis

Bug Description

All the mapping rules should produce not only a set of Keystone group ids but also a user_id. It's is also required by mapping engine (https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L224). Unfortunately not all examples in the OS-FEDERATION extension include. This should be fixed, as well as docs should clearly state that all the rules should map the user name.

Marek Denis (marek-denis)
Changed in keystone:
assignee: nobody → Marek Denis (marek-denis)
Revision history for this message
Dolph Mathews (dolph) wrote :

Isn't the actual bug that the role processor requires a name in the output?

Changed in keystone:
status: New → Incomplete
Revision history for this message
Marek Denis (marek-denis) wrote :

I think we had couple of discussions whether we should require user mapping and eventually one of the major requirement for that was accounting/auditing. That's why a special condition checking whether user was mapped was added. Also note, that the term "user mapping" doesn't mean "mapping to an existing user". It's just an user_id that may help trace who and when did certain operations. I also think a good practive would be mapping one single atribute from SAML assertion as an user_id. Since different IdPs issue different assertions (parameter names) you cannot make a general rule for that.

Revision history for this message
Dolph Mathews (dolph) wrote :

The intermixed use of user "id" and user "name" here had me confused - IIRC, the name is arbitrarily owned by the IdP, and we generate an ID based on that name.

I'm still lost on which "examples" this is referring to - in documentation or elsewhere?

Revision history for this message
Marek Denis (marek-denis) wrote :

If { user" {name: [...] } } is missing in the 'local' object in the rulees Keystone will raise exceptions.Unauthorized(). I was refering to rule examples in OS-FEDERATION extension documentation. See https://review.openstack.org/#/c/90121/ .

Dolph Mathews (dolph)
affects: keystone → openstack-api-site
Changed in openstack-api-site:
status: Incomplete → Confirmed
Openstack Gerrit (openstack-gerrit)
Changed in openstack-api-site:
status: Confirmed → In Progress
Andreas Jaeger (jaegerandi)
Changed in openstack-api-site:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to identity-api (master)

Reviewed: https://review.openstack.org/90121
Committed: https://git.openstack.org/cgit/openstack/identity-api/commit/?id=d88942944ed01dd5aba7519a817fafdaed73aa99
Submitter: Jenkins
Branch: master

commit d88942944ed01dd5aba7519a817fafdaed73aa99
Author: Marek Denis <email address hidden>
Date: Thu Apr 24 17:36:45 2014 +0200

    Add ``user`` object to the mapping rules examples.

    Every rule should have a local ``user`` object that is used to
    produce a unique user_id of the federated user. Not all examples of the
    OS-FEDERATION extension included such object.

    Change-Id: Ib1a2a956cb3638402b283ad13841f48d31814240
    Closes-Bug: #1312221

Changed in openstack-api-site:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.