OpenStack Identity (keystone)

Federated domain is reported when validating a federated token

Bug #1754048 reported by Kristi Nikolla
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Kristi Nikolla

Bug Description

Prior to introducing per idp domains, all federated users lived in the Federated domain. That is not the case anymore but Keystone keeps reporting that federated users are part of that domain rather their per-idp domains.

Token validation: http://paste.openstack.org/show/693652/

Tags: federation
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I noticed this when doing some refactoring of the token provider API recently. I agree that we should get the token provide up-to-speed by populating the identity provider's domain in the token response, instead of the cookie-cutter Federated domain.

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Lance Bragstad (lbragstad) wrote :

This was technically found in the Queens release and probably true for older releases that use federation. I don't think this is something we need to fix for Rocky.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/651614

Changed in keystone:
assignee: nobody → Kristi Nikolla (knikolla)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/653068

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/653068
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c2be944fb89f94a10d7105b2e072eeab5582c5a7
Submitter: Zuul
Branch: master

commit c2be944fb89f94a10d7105b2e072eeab5582c5a7
Author: Kristi Nikolla <email address hidden>
Date: Tue Apr 16 14:11:36 2019 -0400

    Report correct domain in federated user token

    Regardless of what domain the user was in, the domain reported in
    the token would be hardcoded to 'Federated' (regardless of the
    federated_domain_name config option).

    This patch removes the places where the domain was overwritten,
    and allows the correct domain to flow to the rendered token.
    It also updates the tests where it was being checked for
    the 'Federated' domain.

    Change-Id: Idad4e077c488d87f75172664fb519232eb78e292
    Closes-Bug: 1754048

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/651614
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d78ac78395e05bbcce6674d7150e8ec25c3a558e
Submitter: Zuul
Branch: master

commit d78ac78395e05bbcce6674d7150e8ec25c3a558e
Author: Kristi Nikolla <email address hidden>
Date: Wed Apr 10 13:19:57 2019 -0400

    Deprecate [federation] federated_domain_name

    Prior to introducing per idp domains, all ephemeral users lived
    in the Federated domain. That is not the case anymore, since they
    now live in the domain of the idp.

    Change-Id: Ife501adf7b122d2c987e132dbfafe0717760c1bb
    Partial-Bug: 1754048
    Partial-Bug: 1829454

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.