OpenStack Identity (keystone)

Mapping openstack_user attribute in k2k assertions with different domains

Bug #1442787 reported by Rodrigo Duarte on 2015-04-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Rodrigo Duarte	OpenStack Identity (keystone) 8.0.0 "liberty"
	Kilo	Fix Released	Undecided	Unassigned	OpenStack Identity (keystone) 2015.1.3

Bug Description

We can have two users with the same username in different domains. So if we have a "User A" in "Domain X" and a "User A" in "Domain Y", there is no way to differ what "User A" is being used in a SAML assertion generated by this IdP (we have only the openstack_user attribute in the SAML assertion).

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-10: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/172562

Changed in keystone:
assignee:	nobody → Rodrigo Duarte (rodrigodsousa)
status:	New → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-04-13:

Marking this as Wishlist since it's essentially proposing to add a new attribute to a public API, but it also looks like a rather important design oversight. Can this be addressed on the mapping side, somehow, without introducing a new attribute at all?

Changed in keystone:
importance:	Undecided → Wishlist

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2015-04-13:

Don't think so... We need this attribute in order to differ the user passed in the assertion, using only the mapping rules there is no way to perform such differentiation.

Revision history for this message

Guang Yee (guang-yee) wrote on 2015-04-14:

If we can't guarantee username is unique for a given IdP, that means audit trail and non-repudiation is likely broken as well. Though at the SP side, an IdP is effectively map into a domain as domain own the user group.

A good side-effect from the above change would give us the ability to setup a single mapping for multiple domains. :)

Rodrigo Duarte (rodrigodsousa) on 2015-04-15

information type:

Public → Public Security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2015-04-15:

Rodrigo: What was the reason for switching this bug to a security vulnerability? If you simply want to indicate that it has security implications but is not thought to be an exploitable condition, then it should remain a normal public bug and instead you can add a "security" tag.

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2015-04-15:

Ok, thanks for clarifying the difference! Will add the security tag.

information type:	Public Security → Public
tags:	added: security

Revision history for this message

Rodrigo Duarte (rodrigodsousa) wrote on 2015-04-16:

created a spec for this new attributes: https://review.openstack.org/#/c/174462/

OpenStack Infra (hudson-openstack) on 2015-04-30

Changed in keystone:
assignee:	Rodrigo Duarte (rodrigodsousa) → Marek Denis (marek-denis)

Brant Knudson (blk-u) on 2015-04-30

tags:

added: kilo-backport-potential

OpenStack Infra (hudson-openstack) on 2015-04-30

Changed in keystone:
assignee:	Marek Denis (marek-denis) → Rodrigo Duarte (rodrigodsousa)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-06: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/172562
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ae2d7075ff58e426e324e2eac57c852ffd4bc804
Submitter: Jenkins
Branch: master

commit ae2d7075ff58e426e324e2eac57c852ffd4bc804
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 17:27:12 2015 -0300

Add openstack_user_domain to assertion

    Currently, a keystone IdP does not provide the domain of the user
    when generating SAML assertions. Since it is possible to have two
    users with the same username but in different domains, this patch
    adds an additional attribute called "openstack_user_domain"
    in the assertion to identify the domain of the user.

Closes-Bug: 1442787
bp assertion-extra-attributes

Change-Id: I65d5c02c0a21f4d4c1b54f8aa56e27950d20badd

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-07: Fix proposed to keystone (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/181007

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-31: Fix merged to keystone (stable/kilo)

#10

Reviewed: https://review.openstack.org/181007
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e9aa2673928c265f6592334e737c2bbafeb0026b
Submitter: Jenkins
Branch: stable/kilo

commit e9aa2673928c265f6592334e737c2bbafeb0026b
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 17:27:12 2015 -0300

Add openstack_user_domain to assertion

Closes-Bug: 1442787
bp assertion-extra-attributes

Change-Id: I65d5c02c0a21f4d4c1b54f8aa56e27950d20badd
(cherry picked from commit ae2d7075ff58e426e324e2eac57c852ffd4bc804)

tags:

added: in-stable-kilo

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-1 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.