OpenStack Identity (keystone)

Relax the requirement for mappings to result in group memberships

Bug #1601929 reported by Steve Martinelli
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Ron De Rose
OpenStack Identity (keystone) newton-3 "n3"

Bug Description

With the introduction of shadow users, we should not require mappings to result in group memberships. This should not require an API change, but would allow for much simpler mappings to be used (literally just assigning a unique ID, and nothing more), which would be sufficient to allow federated users to receive manually assigned concrete role assignments (a process that operators are already familiar with).

See original description
Tags: federation
Revision history for this message
Guang Yee (guang-yee) wrote :

We support that today already I think. Just add the "type" attribute.

"type": "local"

Is this for ephemeral users?

Revision history for this message
Steve Martinelli (stevemar) wrote :

@gyee, yeah, it's for our now no-longer ephemeral users.

Revision history for this message
Steve Martinelli (stevemar) wrote :

bumping the priority on this one, it would be really beneficial for shadowing federated users

Changed in keystone:
importance: Medium → High
Revision history for this message
Dolph Mathews (dolph) wrote :

This really isn't a bug - it's a feature gap that's addressed by https://review.openstack.org/#/c/324055/

Revision history for this message
Dolph Mathews (dolph) wrote :

Disregard comment #4 -- after talking this over with Steve, I've revised the bug description to more narrowly define the behavior that we're looking for here, without having to implement any new features (specifically, anything along the lines of https://review.openstack.org/#/c/324055/ ).

description: updated
Revision history for this message
Steve Martinelli (stevemar) wrote :

No patch up for this yet, i'm assuming this will land in Ocata with the rest of the work to improve the federation mapping code

Changed in keystone:
milestone: newton-3 → next
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: Triaged → In Progress
Steve Martinelli (stevemar)
Changed in keystone:
milestone: next → newton-3
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → Steve Martinelli (stevemar)
Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Ron De Rose (ronald-de-rose)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/358111
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7ba53701989490667d220a3faecae2b484a007c5
Submitter: Jenkins
Branch: master

commit 7ba53701989490667d220a3faecae2b484a007c5
Author: Ronald De Rose <email address hidden>
Date: Fri Aug 19 20:44:56 2016 +0000

    Relax the requirement for mappings to result in group memberships

    Now that we're able to grant authorization to federated users using
    concrete role assignments, we can drop the requirement for the mapping
    engine to result in any authorization (via group membership) at all.

    Closes-Bug: #1601929
    Change-Id: Ie144e20deb4a0bb987182de5c9231a14f0aa2bc8

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 10.0.0.0b3

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.