Trust API does not support delegating federated roles (roles obtained from federated groups)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Version: Queens (UCA) 2:13.0.2-0ubuntu1
When a trust is created a trustor user is required to have a role on a project in question. This is verified via a call to the keystone database without looking at roles that can be inferred from federated groups present in a token.
In this scenario a federated user does not have any direct role assignments in the Keystone database - only the ones that can be inferred from federated group membership.
https:/
https:/
A call to /v3/auth/tokens which verifies that "roles" for groups present in "OS-FEDERATION" section are properly populated:
http://
"roles": [
{
"id": "e4ab04a7c6ec4c
"name": "Member"
}
# ...
"user": {
"
"id": "adfs"
},
"protocol": {
"id": "mapped"
},
"groups": [
{
"id": "7594d86688c54e
}
]
},
This bug is similar to this one for application credentials: https:/
Users, Member role and role assignments:
http://
The issue was discovered while troubleshooting "Error: ERROR: Missing required credential: roles [u'Member']" showed by heat dashboard during a stack creation:
http://
Keystone side:
http://
description: | updated |
I think this is a duplicate of https:/ /bugs.launchpad .net/keystone/ +bug/1589993 . Do you see "Could not find role: XXX" in the keystone logs?