OpenStack Identity (keystone)

Bug #1832092
Activity log

Activity log for bug #1832092

Date	Who	What changed	Old value	New value	Message
2019-06-08 15:08:13	Dmitrii Shcherbakov	bug			added bug
2019-06-08 15:08:13	Dmitrii Shcherbakov	attachment added		08-06-2019-unable-to-create-app-cred.png https://bugs.launchpad.net/bugs/1832092/+attachment/5269597/+files/08-06-2019-unable-to-create-app-cred.png
2019-06-08 20:21:18	Dmitrii Shcherbakov	description	[Version] Rocky (UCA) [Problem Description] (see the User Scenario section below for a description of the environment) When no direct role assignments to federated users are done and only federated group role assignments are present, application credential creation via Horizon fails with the following errors: horizon apache2 error.log: [Sat Jun 08 14:27:59.153479 2019] [wsgi:error] [pid 150327:tid 139962773473024] [remote 10.232.46.207:35898] Recoverable error: Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, user or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (HTTP 400) (Request-ID: req-da2e3322-2f6f-468f-bd0d-b08855f9893b) keystone.log: (keystone.common.wsgi): 2019-06-08 14:30:55,933 WARNING Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, us er or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (keystone.middleware.auth): 2019-06-08 14:31:00,940 DEBUG Authenticating user token Code-path: create_application_credential -> _require_user_has_role_in_project -> _get_user_roles -> _get_user_roles -> list_role_assignments -> _list_effective_role_assignments -> _get_group_ids_for_user_id -> list_groups_for_user -> _get_group_ids_for_user_id A detailed rpdb trace: http://paste.openstack.org/show/752652/ 82 def _require_user_has_role_in_project(self, roles, user_id, project_id): 83 user_roles = self._get_user_roles(user_id, project_id) 84 -> for role in roles: 85 if role['id'] not in user_roles: 86 raise exception.RoleAssignmentNotFound(role_id=role['id'], 87 actor_id=user_id, 88 target_id=project_id) [Possible Solution] Group membership details obtained dynamically during federated authentication and embedded into a fernet token (first an unscoped token, then a project-scoped token) need to be used in addition to querying the database for user to group membership. [User Scenario] Federated authentication via SAML with the following mapping (i.e. no direct role assignment to a user on a project - only federated group-based role assignment): openstack mapping show adfs_mapping +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| Field \| Value \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| id \| adfs_mapping \| \| rules \| [{'remote': [{'type': 'MELLON_NAME_ID'}, {'type': 'MELLON_groups'}], 'local': [{'domain': {'id': 'e834e57943714e058c203d4f544ea946'}, 'user': {'name': '{0}'}, 'groups': '{1}'}]}] \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ # a federated user openstack user list --domain adfs +----------------------------------+------------------------+ \| ID \| Name \| +----------------------------------+------------------------+ \| 794d430997c64060854bf77f2e7e6e16 \| intranet\Administrator \| +----------------------------------+------------------------+ # a group that that exists both on the IdP and Keystone (SP) side openstack group list --domain adfs +----------------------------------+------------+ \| ID \| Name \| +----------------------------------+------------+ \| 701f70e7549d4de28cecd60127a1a444 \| adfs_users \| +----------------------------------+------------+ # grouptest is a project that adfs_users group members get a Member role assignment on openstack project list --domain adfs +----------------------------------+-----------+ \| ID \| Name \| +----------------------------------+-----------+ \| 7de76f768cb84149b8b2d693d1d21f45 \| grouptest \| \| 6a0657cf98684a62af99dc7b71a383dd \| test \| +----------------------------------+-----------+ # no direct Member role assignments for federated users openstack role assignment list --names +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Admin \| neutron@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| \| admin_domain \| \| False \| \| Member \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@default \| \| services@default \| \| \| False \| \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| \| Admin \| neutron@default \| \| services@default \| \| \| False \| \| Admin \| glance@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| glance@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| swift@default \| \| services@default \| \| \| False \| \| Admin \| swift@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@default \| \| services@default \| \| \| False \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ # same as above - no direct role assignments openstack role assignment list --names --user 794d430997c64060854bf77f2e7e6e16 ; echo $? 0 # role assignments for the adfs_users group (domain and project level although only the project-level one is needed) openstack role assignment list --names --group adfs_users --group-domain adfs +--------+------+-----------------+----------------+--------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+------+-----------------+----------------+--------+--------+-----------+ \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| +--------+------+-----------------+----------------+--------+--------+-----------+	[Version] Rocky (UCA) [Problem Description] (see the User Scenario section below for a description of the environment) When no direct role assignments to federated users are done and only federated group role assignments are present, application credential creation via Horizon fails with the following errors: horizon apache2 error.log: [Sat Jun 08 14:27:59.153479 2019] [wsgi:error] [pid 150327:tid 139962773473024] [remote 10.232.46.207:35898] Recoverable error: Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, user or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (HTTP 400) (Request-ID: req-da2e3322-2f6f-468f-bd0d-b08855f9893b) keystone.log: (keystone.common.wsgi): 2019-06-08 14:30:55,933 WARNING Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, us er or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (keystone.middleware.auth): 2019-06-08 14:31:00,940 DEBUG Authenticating user token Code-path: create_application_credential -> _require_user_has_role_in_project -> _get_user_roles -> _get_user_roles -> list_role_assignments -> _list_effective_role_assignments -> _get_group_ids_for_user_id -> list_groups_for_user -> _get_group_ids_for_user_id A detailed rpdb trace: http://paste.openstack.org/show/752652/ 82 def _require_user_has_role_in_project(self, roles, user_id, project_id): 83 user_roles = self._get_user_roles(user_id, project_id) 84 -> for role in roles: 85 if role['id'] not in user_roles: 86 raise exception.RoleAssignmentNotFound(role_id=role['id'], 87 actor_id=user_id, 88 target_id=project_id) [Possible Solution] Group membership details obtained dynamically during federated authentication and embedded into a fernet token (first an unscoped token, then a project-scoped token) need to be used in addition to querying the database for user to group membership. [User Scenario] Federated authentication via SAML with the following mapping (i.e. no direct role assignment to a user on a project - only federated group-based role assignment): openstack mapping show adfs_mapping +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| Field \| Value \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| id \| adfs_mapping \| \| rules \| [{'remote': [{'type': 'MELLON_NAME_ID'}, {'type': 'MELLON_groups'}], 'local': [{'domain': {'id': 'e834e57943714e058c203d4f544ea946'}, 'user': {'name': '{0}'}, 'groups': '{1}'}]}] \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ # a federated user openstack user list --domain adfs +----------------------------------+------------------------+ \| ID \| Name \| +----------------------------------+------------------------+ \| 794d430997c64060854bf77f2e7e6e16 \| intranet\Administrator \| +----------------------------------+------------------------+ # a group that that exists both on the IdP and Keystone (SP) side openstack group list --domain adfs +----------------------------------+------------+ \| ID \| Name \| +----------------------------------+------------+ \| 701f70e7549d4de28cecd60127a1a444 \| adfs_users \| +----------------------------------+------------+ # no group assignments are present in the keystone db - they are only populated on a per-token basis during federated authentication openstack user list --domain adfs --group adfs_users ; echo $? 0 # grouptest is a project that adfs_users group members get a Member role assignment on openstack project list --domain adfs +----------------------------------+-----------+ \| ID \| Name \| +----------------------------------+-----------+ \| 7de76f768cb84149b8b2d693d1d21f45 \| grouptest \| \| 6a0657cf98684a62af99dc7b71a383dd \| test \| +----------------------------------+-----------+ # no direct Member role assignments for federated users openstack role assignment list --names +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Admin \| neutron@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| \| admin_domain \| \| False \| \| Member \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@default \| \| services@default \| \| \| False \| \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| \| Admin \| neutron@default \| \| services@default \| \| \| False \| \| Admin \| glance@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| glance@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| swift@default \| \| services@default \| \| \| False \| \| Admin \| swift@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@default \| \| services@default \| \| \| False \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ # same as above - no direct role assignments openstack role assignment list --names --user 794d430997c64060854bf77f2e7e6e16 ; echo $? 0 # role assignments for the adfs_users group (domain and project level although only the project-level one is needed) openstack role assignment list --names --group adfs_users --group-domain adfs +--------+------+-----------------+----------------+--------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+------+-----------------+----------------+--------+--------+-----------+ \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| +--------+------+-----------------+----------------+--------+--------+-----------+
2019-06-08 20:38:05	Dmitrii Shcherbakov	description	[Version] Rocky (UCA) [Problem Description] (see the User Scenario section below for a description of the environment) When no direct role assignments to federated users are done and only federated group role assignments are present, application credential creation via Horizon fails with the following errors: horizon apache2 error.log: [Sat Jun 08 14:27:59.153479 2019] [wsgi:error] [pid 150327:tid 139962773473024] [remote 10.232.46.207:35898] Recoverable error: Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, user or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (HTTP 400) (Request-ID: req-da2e3322-2f6f-468f-bd0d-b08855f9893b) keystone.log: (keystone.common.wsgi): 2019-06-08 14:30:55,933 WARNING Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, us er or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (keystone.middleware.auth): 2019-06-08 14:31:00,940 DEBUG Authenticating user token Code-path: create_application_credential -> _require_user_has_role_in_project -> _get_user_roles -> _get_user_roles -> list_role_assignments -> _list_effective_role_assignments -> _get_group_ids_for_user_id -> list_groups_for_user -> _get_group_ids_for_user_id A detailed rpdb trace: http://paste.openstack.org/show/752652/ 82 def _require_user_has_role_in_project(self, roles, user_id, project_id): 83 user_roles = self._get_user_roles(user_id, project_id) 84 -> for role in roles: 85 if role['id'] not in user_roles: 86 raise exception.RoleAssignmentNotFound(role_id=role['id'], 87 actor_id=user_id, 88 target_id=project_id) [Possible Solution] Group membership details obtained dynamically during federated authentication and embedded into a fernet token (first an unscoped token, then a project-scoped token) need to be used in addition to querying the database for user to group membership. [User Scenario] Federated authentication via SAML with the following mapping (i.e. no direct role assignment to a user on a project - only federated group-based role assignment): openstack mapping show adfs_mapping +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| Field \| Value \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| id \| adfs_mapping \| \| rules \| [{'remote': [{'type': 'MELLON_NAME_ID'}, {'type': 'MELLON_groups'}], 'local': [{'domain': {'id': 'e834e57943714e058c203d4f544ea946'}, 'user': {'name': '{0}'}, 'groups': '{1}'}]}] \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ # a federated user openstack user list --domain adfs +----------------------------------+------------------------+ \| ID \| Name \| +----------------------------------+------------------------+ \| 794d430997c64060854bf77f2e7e6e16 \| intranet\Administrator \| +----------------------------------+------------------------+ # a group that that exists both on the IdP and Keystone (SP) side openstack group list --domain adfs +----------------------------------+------------+ \| ID \| Name \| +----------------------------------+------------+ \| 701f70e7549d4de28cecd60127a1a444 \| adfs_users \| +----------------------------------+------------+ # no group assignments are present in the keystone db - they are only populated on a per-token basis during federated authentication openstack user list --domain adfs --group adfs_users ; echo $? 0 # grouptest is a project that adfs_users group members get a Member role assignment on openstack project list --domain adfs +----------------------------------+-----------+ \| ID \| Name \| +----------------------------------+-----------+ \| 7de76f768cb84149b8b2d693d1d21f45 \| grouptest \| \| 6a0657cf98684a62af99dc7b71a383dd \| test \| +----------------------------------+-----------+ # no direct Member role assignments for federated users openstack role assignment list --names +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Admin \| neutron@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| \| admin_domain \| \| False \| \| Member \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@default \| \| services@default \| \| \| False \| \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| \| Admin \| neutron@default \| \| services@default \| \| \| False \| \| Admin \| glance@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| glance@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| swift@default \| \| services@default \| \| \| False \| \| Admin \| swift@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@default \| \| services@default \| \| \| False \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ # same as above - no direct role assignments openstack role assignment list --names --user 794d430997c64060854bf77f2e7e6e16 ; echo $? 0 # role assignments for the adfs_users group (domain and project level although only the project-level one is needed) openstack role assignment list --names --group adfs_users --group-domain adfs +--------+------+-----------------+----------------+--------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+------+-----------------+----------------+--------+--------+-----------+ \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| +--------+------+-----------------+----------------+--------+--------+-----------+	[Version] Rocky (UCA) [Problem Description] (see the User Scenario section below for a description of the environment) When no direct role assignments to federated users are done and only federated group role assignments are present, application credential creation via Horizon fails with the following errors: horizon apache2 error.log: [Sat Jun 08 14:27:59.153479 2019] [wsgi:error] [pid 150327:tid 139962773473024] [remote 10.232.46.207:35898] Recoverable error: Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, user or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (HTTP 400) (Request-ID: req-da2e3322-2f6f-468f-bd0d-b08855f9893b) keystone.log: (keystone.common.wsgi): 2019-06-08 14:30:55,933 WARNING Invalid application credential: Could not find role assignment with role: 91afa82fab85426fa741370dabad80bf, us er or group: 794d430997c64060854bf77f2e7e6e16, project, domain, or system: 7de76f768cb84149b8b2d693d1d21f45. (keystone.middleware.auth): 2019-06-08 14:31:00,940 DEBUG Authenticating user token Code-path: create_application_credential -> _require_user_has_role_in_project -> _get_user_roles -> _get_user_roles -> list_role_assignments -> _list_effective_role_assignments -> _get_group_ids_for_user_id -> list_groups_for_user -> _get_group_ids_for_user_id A detailed rpdb trace: http://paste.openstack.org/show/752652/ 82 def _require_user_has_role_in_project(self, roles, user_id, project_id): 83 user_roles = self._get_user_roles(user_id, project_id) 84 -> for role in roles: 85 if role['id'] not in user_roles: 86 raise exception.RoleAssignmentNotFound(role_id=role['id'], 87 actor_id=user_id, 88 target_id=project_id) [Possible Solution] Group membership details obtained dynamically during federated authentication and embedded into a fernet token (first an unscoped token, then a project-scoped token) need to be used in addition to querying the database for user to group membership. [User Scenario] Federated authentication via SAML with the following mapping (i.e. no direct role assignment to a user on a project - only federated group-based role assignment): openstack mapping show adfs_mapping +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| Field \| Value \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ \| id \| adfs_mapping \| \| rules \| [{'remote': [{'type': 'MELLON_NAME_ID'}, {'type': 'MELLON_groups'}], 'local': [{'domain': {'id': 'e834e57943714e058c203d4f544ea946'}, 'user': {'name': '{0}'}, 'groups': '{1}'}]}] \| +-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ # a federated user openstack user list --domain adfs +----------------------------------+------------------------+ \| ID \| Name \| +----------------------------------+------------------------+ \| 794d430997c64060854bf77f2e7e6e16 \| intranet\Administrator \| +----------------------------------+------------------------+ # a group that that exists both on the IdP and Keystone (SP) side openstack group list --domain adfs +----------------------------------+------------+ \| ID \| Name \| +----------------------------------+------------+ \| 701f70e7549d4de28cecd60127a1a444 \| adfs_users \| +----------------------------------+------------+ # no group assignments are present in the keystone db - they are only populated on a per-token basis during federated authentication openstack user list --domain adfs --group adfs_users ; echo $? 0 # grouptest is a project that adfs_users group members get a Member role assignment on openstack project list --domain adfs +----------------------------------+-----------+ \| ID \| Name \| +----------------------------------+-----------+ \| 7de76f768cb84149b8b2d693d1d21f45 \| grouptest \| \| 6a0657cf98684a62af99dc7b71a383dd \| test \| +----------------------------------+-----------+ # no direct Member role assignments for federated users openstack role assignment list --names +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ \| Admin \| neutron@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| admin@admin_domain \| \| \| False \| \| Admin \| admin@admin_domain \| \| \| admin_domain \| \| False \| \| Member \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| swift@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@default \| \| services@default \| \| \| False \| \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| \| Admin \| neutron@default \| \| services@default \| \| \| False \| \| Admin \| glance@default \| \| services@default \| \| \| False \| \| Admin \| image-stream@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| cinderv2_cinderv3@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| glance@service_domain \| \| services@service_domain \| \| \| False \| \| Admin \| designate@service_domain \| \| services@service_domain \| \| \| False \| \| Member \| swift@default \| \| services@default \| \| \| False \| \| Admin \| swift@default \| \| services@default \| \| \| False \| \| Admin \| nova_placement@default \| \| services@default \| \| \| False \| +--------+----------------------------------+-----------------+-------------------------+--------------+--------+-----------+ # same as above - no direct role assignments openstack role assignment list --names --user 794d430997c64060854bf77f2e7e6e16 ; echo $? 0 # role assignments for the adfs_users group (domain and project level although only the project-level one is needed) openstack role assignment list --names --group adfs_users --group-domain adfs +--------+------+-----------------+----------------+--------+--------+-----------+ \| Role \| User \| Group \| Project \| Domain \| System \| Inherited \| +--------+------+-----------------+----------------+--------+--------+-----------+ \| Member \| \| adfs_users@adfs \| grouptest@adfs \| \| \| False \| \| Member \| \| adfs_users@adfs \| \| adfs \| \| False \| +--------+------+-----------------+----------------+--------+--------+-----------+ =================== Just to make sure, adding group membership for the federated/shadow-mapped user to the db directly allows an application credential to be created successfully. So the issue is not applicable to group membership in general - just to the federated case where there is no record of membership in the db. openstack group add user --group-domain adfs --user-domain adfs adfs_users 'intranet\Administrator' openstack user list --domain adfs --group adfs_users +----------------------------------+------------------------+ \| ID \| Name \| +----------------------------------+------------------------+ \| 794d430997c64060854bf77f2e7e6e16 \| intranet\Administrator \| +----------------------------------+------------------------+ # creation of an app credential succeeds via horizon
2019-07-15 21:48:35	Colleen Murphy	marked as duplicate		1809116
2021-11-26 10:04:16	JF Taltavull	bug			added subscriber JF Taltavull
2022-03-30 10:10:50	Lars Merke	bug			added subscriber Lars Merke
2022-05-06 14:54:39	Graeme Moss	bug task added		charm-keystone-saml-mellon
2024-01-13 15:56:15	Nguyen Ngoc Hieu	removed duplicate marker	1809116