[RFE] Keystone to honor the "domain" attribute mapping rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Rafael Weingartner |
Bug Description
Problem Description
=================
Currently, Keystone identity provider (IdP) attribute mapping schema only uses the "domain" attribute mapping as a default configuration for the domain of groups being mapped; groups can override the default attribute mapping domain by setting their specific domain. However, there are other "elements" such as user and project that can also have a domain to define their location in OpenStack.
An operator when reading the attribute mapping section and seeing the schema for the attribute mapping definition, can be led to think that the domain defined in the mapping will also apply to users and projects. However, that is not what happens.
Proposed Change
===============
First of all, to facilitate the development and extension concerning attribute mappings for IdPs, we changed the way the attribute mapping schema is handled. We introduce a new configuration `federation_
Moreover, we propose to extend Keystone identity provider (IdP) attribute mapping schema to make Keystone honor the `domain` configuration that we have on it. Currently, that configuration is only used to define a default domain for groups (and then each group there, could override it). It is interesting to expand this configuration (as long as it is in the root of the attribute mapping) to be also applied for users and projects.
Changed in keystone: | |
assignee: | nobody → Rafael Weingartner (rafaelweingartner) |
status: | New → In Progress |
Reviewed: https:/ /review. opendev. org/c/openstack /keystone/ +/739966 /opendev. org/openstack/ keystone/ commit/ 14ac08431f22705 a242073ffe2c362 b3aa5d9b71
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 14ac08431f22705 a242073ffe2c362 b3aa5d9b71
Author: Rafael Weingärtner <email address hidden>
Date: Tue Dec 12 16:59:37 2023 -0300
Keystone to honor the "domain" attribute mapping rules.
We propose to extend Keystone identity provider (IdP) attribute mapping
schema to make Keystone honor the `domain` configuration that we have
on it.
Currently, that configuration is only used to define a default domain
for groups (and then each group there, could override it). It is
interesting to expand this configuration (as long as it is in the root
of the attribute mapping) to be also applied for users and projects.
Moreover, to facilitate the development and extension concerning _attribute_ mapping_ schema_ version` , which defaults to "1.0".
attribute mappings for IdPs, we changed the way the attribute mapping
schema is handled. We introduce a new configuration
`federation
This attribute mapping schema version will then be used to control the
validation of attribute mapping, and also the rule processors used to
process the attributes that come from the IdP. So far, with this PR,
we introduce the attribute mapping schema "2.0", which enables
operators to also define a domain for the projects they want to assign
users. If no domain is defined either in the project or in the global
domain definition for the attribute mapping, we take the IdP domain
as the default.
Change-Id: Ia9583a254336fa d7b302430a38b53 8c84338d13d /bugs.launchpad .net/keystone/ +bug/1887515
Implements: https:/
Closes-Bug: #1887515