OpenStack Identity (keystone)

[rfe] Expiring User Group Memberships

Bug #1809116 reported by Kristi Nikolla
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Kristi Nikolla

Bug Description

This bug is used for tracking the progress of the application credential feature in keystone.

Summary
=======
Allow creation of applications credentials based on the authorization of mapped group assignments. The application credentials will require the user who created the application credential to log in with the same authorization in the external identity provider, in order to renew it.

Tags: federation rfe
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Kristi Nikolla (knikolla) → Morgan Fainberg (mdrnstm)
Colleen Murphy (krinkle)
Changed in keystone:
importance: Undecided → High
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → Kristi Nikolla (knikolla)
Colleen Murphy (krinkle)
tags: added: rfe
summary: - Renewable Application Credentials
+ [rfe] Renewable Application Credentials
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone-specs (master)

Reviewed: https://review.opendev.org/604201
Committed: https://git.openstack.org/cgit/openstack/keystone-specs/commit/?id=11885fcd929420ef4b4a6524765392296cdba8ab
Submitter: Zuul
Branch: master

commit 11885fcd929420ef4b4a6524765392296cdba8ab
Author: Kristi Nikolla <email address hidden>
Date: Thu Sep 20 15:48:33 2018 -0400

    Expiring Group Membership Through Mapping Rules

    Add federated users to the groups that they receive from the mapping rules.
    This membership is only carried by the token and not persisted in the
    database. The membership expires, but can be renewed when the user
    authenticates with the same group.

    Partial-Bug: 1809116

    Change-Id: If376a1ce18f9b628f429f3cac957c76dacd00a34

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/677469

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/678586

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone-specs (master)

Fix proposed to branch: master
Review: https://review.opendev.org/698951

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone-specs (master)

Reviewed: https://review.opendev.org/698951
Committed: https://git.openstack.org/cgit/openstack/keystone-specs/commit/?id=09f8b8b4b4b65e440af6c11fa940bdea83340370
Submitter: Zuul
Branch: master

commit 09f8b8b4b4b65e440af6c11fa940bdea83340370
Author: Kristi Nikolla <email address hidden>
Date: Fri Dec 13 11:21:39 2019 -0500

    Repropose Expiring Group Membership for Ussuri

    Add federated users to the groups that they receive from the mapping rules.
    This membership is only carried by the token and not persisted in the
    database. The membership expires, but can be renewed when the user
    authenticates with the same group.

    Previously approved for Train, fell into backlog, reproposing for Ussuri.

    Change-Id: Ie133c14ffba5e4189265920759bfb5e1391f1189
    Partial-Bug: 1809116

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/713976

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/714507

Kristi Nikolla (knikolla)
summary: - [rfe] Renewable Application Credentials
+ [rfe] Expiring User Group Memberships
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/677469
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ee54ba0ce49a5cebbf991e705492ad060e11867f
Submitter: Zuul
Branch: master

commit ee54ba0ce49a5cebbf991e705492ad060e11867f
Author: Kristi Nikolla <email address hidden>
Date: Mon Jul 29 16:19:51 2019 -0400

    Expiring User Group Membership Model

    Creates the model and migration for the expiring user group
    membership table.

    Change-Id: I48093403539918f81e6a174bdfa7b6497dd307fb
    Partial-Bug: 1809116

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/678586
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d8938514fe3f9df54467f557e13770533c614259
Submitter: Zuul
Branch: master

commit d8938514fe3f9df54467f557e13770533c614259
Author: Kristi Nikolla <email address hidden>
Date: Mon Aug 19 08:00:05 2019 -0400

    Expiring Group Membership Driver - Add, List Groups

    Modify the base driver and SQL driver to support expiring group
    memberships.

    Additions to the SQL Driver to support listing expiring groups
    for user.

    Change-Id: I7d52cd2003f511483619a429de57201df4990209
    Partial-Bug: 1809116
    Depends-On: I4294a879071dde07e5eb1da4df133de8032e1059

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/713976
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8153a9d5925b0ba60e43329ff6bfb5a4d1a12f97
Submitter: Zuul
Branch: master

commit 8153a9d5925b0ba60e43329ff6bfb5a4d1a12f97
Author: Kristi Nikolla <email address hidden>
Date: Fri Feb 7 11:02:51 2020 -0500

    Add expiring user group memberships on mapped authentication

    When a federated user authenticates, they are added to their
    mapped groups during shadowing.

    Closes-Bug: 1809116

    Change-Id: I19dc400b2a7aa46709b242cdeef82beaca975ff3

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/714507
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c18956f198f223e3a47b2377b9007649187f4fd8
Submitter: Zuul
Branch: master

commit c18956f198f223e3a47b2377b9007649187f4fd8
Author: Kristi Nikolla <email address hidden>
Date: Mon Mar 23 14:04:10 2020 -0400

    Expiring Group Memberships API - Allow set idp authorization_ttl

    This patch extends the identity provider API to receive, return
    and set the authorization_ttl on an identity provider.

    Change-Id: I3c58da290d52149e307280042ed20447da4687f7
    Partial-Bug: 1809116

Revision history for this message
Bartosz Bezak (bbezak) wrote :

Keystone ussuri is still affected by the duplicate bug https://bugs.launchpad.net/keystone/+bug/1832092.

i.e.:
I am not able to create application credential via horizon when group membership coming from federation only.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.