Federation Unable to handle multiple groups
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
I'm using OIDC federated authentication, I'm able to use the mapping json to do ephemeral user authentication.
Following is my mapping json:
[
{
"local": [
{
},
"domain": {
}
],
"remote": [
{
},
{
},
{
]
}
]
}
]
and when tested with the keystone-mange mapping, I'm able to see multiple groups properly.
output of Keystone-mapping verification.
{
"group_ids": [
"5207b97776
],
"user": {
"domain": {
"id": "Federated"
},
"type": "ephemeral",
"name": "<email address hidden>"
},
"group_names": []
}
However, when the same flow is executed thru the OIDC I get the following error message
{"error": {"message": "Group ['5207b97776914
I looked into the util.py code and printed the groups that were coming into the validate_
validate_
2016-04-26 12:38:46.750572 25124 DEBUG keystone.
2016-04-26 12:38:46.750704 25124 DEBUG keystone.
2016-04-26 12:38:47.092780 25124 WARNING keystone.
(END)
it looks like the list is formed incorrectly
[u"['5207b97776
it should have been
[u'5207b9777691
Thanks,
Krishna
| affects: | centos → ubuntu |
| no longer affects: | ubuntu |
| description: | updated |
| Krishna (kathurko) wrote | #1 |
| tags: | added: liberty-backport-potential |
| Dolph Mathews (dolph) wrote | #2 |
| Dolph Mathews (dolph) wrote | #3 |
| Changed in keystone: | |
| status: | New → Invalid |
Upon talking to Steve and Henry, This is really not a bug.
instead , to get the list of groups, group_ids have to be used.
[
{
"local": [
{
}
],
"remote": [
{
},
{
},
{
]
}
]
}
]
However, this only works in Mitaka since group_ids is not handled in liberty code.
since this is an important feature,
i'd like to request the utils.py code that handles group_ids in mitaka to be back ported to liberty.
THanks,
Krishna