Mapping openstack_project attribute in k2k assertions with different domains

Bug #1442343 reported by Iury Gregory Melo Ferreira on 2015-04-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Rodrigo Duarte
Kilo
Undecided
Unassigned

Bug Description

We can have two projects with the same name in different domains. So if we have a "Project A" in "Domain X" and a "Project A" in "Domain Y", there is no way to differ what "Project A" is being used in a SAML assertion generated by this IdP (we have only the openstack_project attribute in the SAML assertion).

description: updated
description: updated
Morgan Fainberg (mdrnstm) wrote :

We need to include the domain information in the assertion and/or the entire hierarchy (reseller).

tags: added: kilo-rc-potential
Adam Young (ayoung) wrote :

Assertions need not just the project name, but the domain and all parent projects.

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged

Fix proposed to branch: master
Review: https://review.openstack.org/172536

Changed in keystone:
assignee: nobody → Rodrigo Duarte (rodrigodsousa)
status: Triaged → In Progress
Dolph Mathews (dolph) wrote :

Changing this to Wishlist for the reasoning described in a related bug: https://bugs.launchpad.net/keystone/+bug/1442787/comments/2

Changed in keystone:
importance: Medium → Wishlist
Rodrigo Duarte (rodrigodsousa) wrote :

As per the comment in the related bug report, we can't address this issue by some workaround in the mapping rules. The possibility to map different entities from the IdP in the same local entity in the SP can only be fixed by providing all information necessary to differ the IdP entities (in the case of project: project name and project's domain name or project id).

tags: added: security
Rodrigo Duarte (rodrigodsousa) wrote :

created a spec for this new attributes: https://review.openstack.org/#/c/174462/

Thierry Carrez (ttx) on 2015-04-30
tags: removed: kilo-rc-potential
Brant Knudson (blk-u) on 2015-04-30
tags: added: kilo-backport-potential

Reviewed: https://review.openstack.org/172536
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=fa844bc88edb417f9513d19c749886a61d7b26ce
Submitter: Jenkins
Branch: master

commit fa844bc88edb417f9513d19c749886a61d7b26ce
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 14:59:34 2015 -0300

    Add openstack_project_domain to assertion

    Currently, a keystone IdP does not provide the domain of the project
    when generating SAML assertions. Since it is possible to have two
    projects with the same name but in different domains, this patch
    adds an additional attribute called "openstack_project_domain"
    in the assertion to identify the domain of the project.

    Closes-Bug: 1442343
    bp assertion-extra-attributes

    Change-Id: I62ed73d87f268c73294738845421deb87088326b

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/179195
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c0bf69ceff55d81054a61123cccabb721b96b09
Submitter: Jenkins
Branch: stable/kilo

commit 0c0bf69ceff55d81054a61123cccabb721b96b09
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 14:59:34 2015 -0300

    Add openstack_project_domain to assertion

    Currently, a keystone IdP does not provide the domain of the project
    when generating SAML assertions. Since it is possible to have two
    projects with the same name but in different domains, this patch
    adds an additional attribute called "openstack_project_domain"
    in the assertion to identify the domain of the project.

    Closes-Bug: 1442343
    bp assertion-extra-attributes

    Change-Id: I62ed73d87f268c73294738845421deb87088326b
    (cherry picked from commit fa844bc88edb417f9513d19c749886a61d7b26ce)

tags: added: in-stable-kilo
Changed in keystone:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-1 → 8.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers