Federation: user's name in rules not respected

Bug #1482701 reported by Marek Denis on 2015-08-07
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Marek Denis

Bug Description

For a mapping rule (see local's user name and user id are different)

[
    {
        "local": [
            {
                "group": {
                    "id": "852d0dc079cf4709813583e92498e625"
                }
            },
            {
                "user": {
                    "id": "marek",
                    "name": "federated_user"
                }
            }
        ],
        "remote": [
            {
                "any_one_of": [
                    "user1",
                    "admin"
                ],
                "type": "openstack_user"
            }
        ]
    }
]

I can authenticate via federated workflow but the token JSON response has (see id and name are identical):

u'user': {u'OS-FEDERATION': {u'groups': [{u'id': u'852d0dc079cf4709813583e92498e625'}],
                                         u'identity_provider': {u'id': u'keystone-idp'},
                                         u'protocol': {u'id': u'saml2'}},
                      u'domain': {u'id': u'Federated',
                                  u'name': u'Federated'},
                      u'id': u'marek',
                      u'name': u'marek'}}}

This happens for both UUID and Fernet tokens.

Changed in keystone:
importance: Undecided → Medium
Dolph Mathews (dolph) on 2015-08-07
Changed in keystone:
status: New → Triaged
Changed in keystone:
status: Triaged → In Progress
description: updated
Lance Bragstad (lbragstad) wrote :

I ran this bug by the Keystone Meeting [0] to get a feel for what direction we should take for fixing this in the Fernet case. We have two options, the first is that username and user id have to be the same in the federated fernet case in order for it to work. The second is that we persist the user id and the user name in the fernet payload. Today, we only persist the user id. This will result in federated fernet tokens to be a little bigger, depending on the user name (pushing real close to the 255 character limit on non-federated Fernet tokens).

The general consensus in the meeting was to add the username to the Fernet payload. The full transcript can be found in the IRC meetings logs [0].

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2015-08-11.log.html

Changed in keystone:
milestone: liberty-3 → liberty-rc1
Changed in keystone:
assignee: Marek Denis (marek-denis) → Lin Hua Cheng (lin-hua-cheng)
Changed in keystone:
assignee: Lin Hua Cheng (lin-hua-cheng) → Marek Denis (marek-denis)
Changed in keystone:
milestone: liberty-rc1 → none

Change abandoned by Steve Martinelli (<email address hidden>) on branch: master
Review: https://review.openstack.org/211093
Reason: use https://review.openstack.org/#/c/335617/1 instead

Reviewed: https://review.openstack.org/335617
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2042c955c81929deb47bc8cc77082b085faaa47d
Submitter: Jenkins
Branch: master

commit 2042c955c81929deb47bc8cc77082b085faaa47d
Author: Roxana Gherle <email address hidden>
Date: Wed Jun 29 11:21:13 2016 -0700

    Fix the username value in federated tokens

    Currently, in both unscoped and scoped federated tokens, the
    username value in the token is equal to the userid and not to
    the value of the username in the external identity provider.
    This makes WebSSO login to show the userid of the logged-in
    user in the Horizon dashboard, whereas before it was showing
    the actual user name.

    This patch fixes the value of the username in the federated
    tokens, which will fix the WebSSO issue as well, since Horizon
    looks at the username value and displays that as the logged-in user.

    Closes-Bug: #1597101
    Closes-Bug: #1482701
    Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → newton-3

Reviewed: https://review.openstack.org/343820
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=176cbf2551a4aee2d544190df363fba44502bd0c
Submitter: Jenkins
Branch: stable/mitaka

commit 176cbf2551a4aee2d544190df363fba44502bd0c
Author: Roxana Gherle <email address hidden>
Date: Wed Jun 29 11:21:13 2016 -0700

    Fix the username value in federated tokens

    Currently, in both unscoped and scoped federated tokens, the
    username value in the token is equal to the userid and not to
    the value of the username in the external identity provider.
    This makes WebSSO login to show the userid of the logged-in
    user in the Horizon dashboard, whereas before it was showing
    the actual user name.

    This patch fixes the value of the username in the federated
    tokens, which will fix the WebSSO issue as well, since Horizon
    looks at the username value and displays that as the logged-in user.

    Closes-Bug: #1597101
    Closes-Bug: #1482701
    Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8
    (cherry picked from commit 2042c955c81929deb47bc8cc77082b085faaa47d)

tags: added: in-stable-mitaka

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

This issue was fixed in the openstack/keystone 9.2.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers