OpenStack Identity (keystone)

do not depend on protocol specific id's when creating a federation token

Bug #1390100 reported by Steve Martinelli on 2014-11-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Rodrigo Duarte	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

If token.provider.common we have a check before issuing a federation that checks if the method name used agrees with a hard coded protocol name.

i.e.: if 'saml2' in method_names or 'oidc' in method_names

this should be done in a more dynamic way, so if more auth methods are supported, then they are automatically seen as federation methods.

fix 1: potentially have a federation_methods in [auth] that lists valid federation methods (very similar to methods in [auth])
fix 2: check the method name against protocol list ids

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-07: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/133130

Changed in keystone:
assignee:	nobody → Rodrigo Duarte (rodrigodsousa)
status:	New → In Progress

Revision history for this message

Steve Martinelli (stevemar) wrote on 2014-11-07:

i think fix #2 makes the most sense

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2014-11-07:

The first solution was implementing the fix #2. But seems that the "protocol_id" doesn't need to follow the auth methods names defined in keystone.conf.

OpenStack Infra (hudson-openstack) on 2014-11-10

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → Marek Denis (marek-denis)

OpenStack Infra (hudson-openstack) on 2014-11-10

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Rodrigo Duarte (rodrigodsousa)

OpenStack Infra (hudson-openstack) on 2014-11-12

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → Marek Denis (marek-denis)

OpenStack Infra (hudson-openstack) on 2014-11-13

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Rodrigo Duarte (rodrigodsousa)

OpenStack Infra (hudson-openstack) on 2014-11-19

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → Marek Denis (marek-denis)

OpenStack Infra (hudson-openstack) on 2014-11-20

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Rodrigo Duarte (rodrigodsousa)

OpenStack Infra (hudson-openstack) on 2014-11-20

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → Marek Denis (marek-denis)

Dolph Mathews (dolph) on 2014-11-20

Changed in keystone:
importance:	Undecided → Wishlist

OpenStack Infra (hudson-openstack) on 2014-11-20

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Rodrigo Duarte (rodrigodsousa)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-21: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/133130
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=10a592d89c819544770fe8e786a4805721693184
Submitter: Jenkins
Branch: master

commit 10a592d89c819544770fe8e786a4805721693184
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Thu Nov 6 22:06:18 2014 -0300

Adds dynamic checking for mapped tokens

    Avoids having to manually add protocols to check if it is a mapped
    token. This check is done by using the identity_provider and protocol
    fields in token, if they are present, means the token being analysed
    is a mapped one.

Co-Authored-By: Marek Denis <email address hidden>

Change-Id: I5a695fa2efa8da151158a15c3b7ec8885d57c2d1
Closes-Bug: 1390100

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Morgan Fainberg (mdrnstm) on 2014-12-08

Changed in keystone:
milestone:	none → kilo-1

Thierry Carrez (ttx) on 2014-12-17

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.