OpenStack Identity (keystone)

Federation protocol creation gives error

Bug #1694589 reported by sanjana
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

I am trying to configure OIDC with keystone.
I have followed the below steps to create the federated resources.

source accr/admin/admin
export OS_IDENTITY_API_VERSION=3
openstack domain create federated_domain
openstack group create federated_users
openstack role add --group federated_users --domain federated_domain admin
openstack identity provider create --remote-id https://accounts.google.com myidp

export remote_type=HTTP_OIDC_EMAIL
cat > rules.json <<EOF
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "federated_users"
                }
            }
        ],
        "remote": [
            {
                "type": "${remote_type}"
            }
        ]
    }
]
EOF
openstack mapping create --rules rules.json myidp_mapping

however the step to create the federation protocol is giving me errors
openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp

I'm getting the below error:
string indices must be integers (HTTP 400) (Request-ID: req-85e59791-fc09-49ab-9204-4363b12f95e1)

The first time i created a mapping and a protocol things were fine. But when i deleted the older mapping and re-created new rules for mapping and tried creating the protocol, i got the above error

See original description
Tags: federation
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Where is ${remote_type} coming from in the mapping? We do provide several examples of mappings in our documentation in case that helps [0]. Based on the error message, I would assume this to be an issue with the mapping itself.

[0] https://docs.openstack.org/developer/keystone/federation/federated_identity.html#tips

tags: added: federation
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Oh, disregard my previous comment, I see where remote_type is being specified.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Interesting - I was able to create the domain, group, role assignment, identity provider, mapping, and protocol. After that I deleted the protocol and the mapping and recreated them without seeing the 400.

Is there anything else you're doing in your process not highlight in the report?

sanjana (sanjana)
description: updated
Revision history for this message
Lance Bragstad (lbragstad) wrote :
Download full text (4.6 KiB)

I am still unable to create this the directions supplied in the description. I started with a fresh installation and did the following:

1.) installed keystone from source @ 239bc3627cfb0546148e9d496f9e1536057052a7
2.) recreated the database and populated it with data
3.) source the administrator's account

$ source rcfiles/adminrc
$ cat rcfiles/adminrc
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_PROJECT_NAME=admin
export OS_DEFAULT_DOMAIN=default

4.) created a federated domain

$ openstack domain create federated_domain
+-------------+----------------------------------+
| Field | Value |
 +-------------+----------------------------------+
| description | |
| enabled | True |
| id | 50dfec355794433f8c88fdc69b836d25 |
| name | federated_domain |
 +-------------+----------------------------------+

5.) created a group for federated users

$ openstack group create federated_users
+-------------+----------------------------------+
| Field | Value |
 +-------------+----------------------------------+
| description | |
| domain_id | default |
| id | c309cb3466854b61b6616fa68694040f |
| name | federated_users |
 +-------------+----------------------------------+

6.) granted the federated group the admin role on the federated domain

$ openstack role add --group federated_users --domain federated_domain admin
$ openstack role assignment list -f yaml --names
- Domain: ''
  Group: ''
  Inherited: false
  Project: admin@Default
  Role: admin
  User: admin@Default
- Domain: federated_domain
  Group: federated_users@Default
  Inherited: false
  Project: ''
  Role: admin
  User: ''

7.) created an identity provider

$ openstack identity provider create --remote-id https://accounts.google.com myidp
+-------------+----------------------------------+
| Field | Value |
 +-------------+----------------------------------+
| description | None |
| domain_id | 6079116d115d407a94bb6ad109305e43 |
| enabled | True |
| id | myidp |
| remote_ids | https://accounts.google.com |
 +-------------+----------------------------------+

8.) created a mapping

$ cat rules.json
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "federated_users"
                }
            }
        ],
        "remote": [
            {
                "type": "HTTP_OIDC_EMAIL"
            }
        ]
    }
]
$ openstack mapping create --rules rules.json myidp_mapping
+-------+-------------------------------------------------------------------------...

Read more...

Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.