Single Sign on Users must have an identity in keystone
Bug #1593362 reported by
Sachin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Single sign on (SSO) users from an external identity provider (IDP) are mapped to keystone group/user with a mapping rule. The identity of such a user is lost in context of OpenStack. Once the operation makes it to OpenStack services, only group is available in the context. This poses multiple problems
1. The owners of various objects like VMs, Volumes, Networks are not identifiable as that specific SSO user.
2. The user-quota api for various projects like nova, cinder and neutron does not work.
To post a comment you must log in.
So this was mostly solved in Mitaka and we will continue to work on this issue in Newton. The shadow users spec is now storing all federated users in a keystone database (https:/ /blueprints. launchpad. net/keystone/ +spec/shadow- users), we will start allowing individual role assignments to these users in Newton (https:/ /blueprints. launchpad. net/keystone/ +spec/shadow- users-newton)