Relax the requirement for mappings to result in group memberships

Bug #1601929 reported by Steve Martinelli on 2016-07-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Ron De Rose

Bug Description

With the introduction of shadow users, we should not require mappings to result in group memberships. This should not require an API change, but would allow for much simpler mappings to be used (literally just assigning a unique ID, and nothing more), which would be sufficient to allow federated users to receive manually assigned concrete role assignments (a process that operators are already familiar with).

Guang Yee (guang-yee) wrote :

We support that today already I think. Just add the "type" attribute.

"type": "local"

Is this for ephemeral users?

Steve Martinelli (stevemar) wrote :

@gyee, yeah, it's for our now no-longer ephemeral users.

Steve Martinelli (stevemar) wrote :

bumping the priority on this one, it would be really beneficial for shadowing federated users

Changed in keystone:
importance: Medium → High
Dolph Mathews (dolph) wrote :

This really isn't a bug - it's a feature gap that's addressed by https://review.openstack.org/#/c/324055/

Dolph Mathews (dolph) wrote :

Disregard comment #4 -- after talking this over with Steve, I've revised the bug description to more narrowly define the behavior that we're looking for here, without having to implement any new features (specifically, anything along the lines of https://review.openstack.org/#/c/324055/ ).

description: updated
Steve Martinelli (stevemar) wrote :

No patch up for this yet, i'm assuming this will land in Ocata with the rest of the work to improve the federation mapping code

Changed in keystone:
milestone: newton-3 → next
Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
milestone: next → newton-3
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Ron De Rose (ronald-de-rose)

Reviewed: https://review.openstack.org/358111
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ba53701989490667d220a3faecae2b484a007c5
Submitter: Jenkins
Branch: master

commit 7ba53701989490667d220a3faecae2b484a007c5
Author: Ronald De Rose <email address hidden>
Date: Fri Aug 19 20:44:56 2016 +0000

    Relax the requirement for mappings to result in group memberships

    Now that we're able to grant authorization to federated users using
    concrete role assignments, we can drop the requirement for the mapping
    engine to result in any authorization (via group membership) at all.

    Closes-Bug: #1601929
    Change-Id: Ie144e20deb4a0bb987182de5c9231a14f0aa2bc8

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers