Public bug reported:
I'm using AzureAD and keystone oidc
mapping remote users into local groups does not work as expected.
I'm using the auto generated domain for ephemeral cloud users, a remote
attribute of OIDC_DEPARTMENT is used for mapping federated users to local
groups, the groups and projects have been created in the default domain, users
should inherit the roles of their mapped group or in other words "group based
role based access".
my expectation when following the docs for oidc or openid or mapped is that
users inherit roles of their mapped groups
how to reproduce
1 - create idp
2 - create protocol
3 - create mapping
4 - create project
5 - create group
6 - assign group to project
7 - assign roles to group in project
WEB SSO is working and a certain amount of the mapping seems to be
working, for example if I grant group access to a project, the federated
user will be granted access to the project in horizon - but they won't
inherit the roles of that group, i.e. they will not become group members
in Horizon >> Identity >> Users (Select a federated User) >> Groups (no groups)
In Horizon >> Identity >> Groups >> Members (no members)
Is this intended? The federated users domain id is the auto generated
federation domain, but I am mapping them into Default domain / project /
group
here is the mapping from oidc group to openstack group
{
"rules": [
{
"local": [
{
"group": {
"domain": {
"name": "Default"
},
"name": "itdept"
},
"user": {
"name": "{0}",
"email": "{1}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_DEPARTMENT",
"any_one_of": [
"7050",
"7051"
]
}
]
}
There is nothing in the mapping regarding projects as I would not like
to use such a mechanism for simple access to projects, but if I assign
the local group to another project then I *can* switch to that project
in horizon - but, I do not have the roles of the group, I have the
member role only - I'm guessing because this is bestowed by default or
by horizon.
So in summary
Configured a working SSO
- users not being added to groups, seems to be ephemeral
- Users do inherit groups projects, so project enrolment works as expected
- User do not inherit groups roles on projects
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1855869
Title:
federation role mapping does not add users to groups
Status in OpenStack Identity (keystone):
New
Bug description:
I'm using AzureAD and keystone oidc
mapping remote users into local groups does not work as expected.
I'm using the auto generated domain for ephemeral cloud users, a remote
attribute of OIDC_DEPARTMENT is used for mapping federated users to local
groups, the groups and projects have been created in the default domain, users
should inherit the roles of their mapped group or in other words "group based
role based access".
my expectation when following the docs for oidc or openid or mapped is that
users inherit roles of their mapped groups
how to reproduce
1 - create idp
2 - create protocol
3 - create mapping
4 - create project
5 - create group
6 - assign group to project
7 - assign roles to group in project
WEB SSO is working and a certain amount of the mapping seems to be
working, for example if I grant group access to a project, the
federated user will be granted access to the project in horizon - but
they won't inherit the roles of that group, i.e. they will not become
group members
in Horizon >> Identity >> Users (Select a federated User) >> Groups (no
groups)
In Horizon >> Identity >> Groups >> Members (no members)
Is this intended? The federated users domain id is the auto generated
federation domain, but I am mapping them into Default domain / project
/ group
here is the mapping from oidc group to openstack group
{
"rules": [
{
"local": [
{
"group": {
"domain": {
"name": "Default"
},
"name": "itdept"
},
"user": {
"name": "{0}",
"email": "{1}"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_DEPARTMENT",
"any_one_of": [
"7050",
"7051"
]
}
]
}
There is nothing in the mapping regarding projects as I would not like
to use such a mechanism for simple access to projects, but if I assign
the local group to another project then I *can* switch to that project
in horizon - but, I do not have the roles of the group, I have the
member role only - I'm guessing because this is bestowed by default or
by horizon.
So in summary
Configured a working SSO
- users not being added to groups, seems to be ephemeral
- Users do inherit groups projects, so project enrolment works as expected
- User do not inherit groups roles on projects
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1855869/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
