Public bug reported:

During federated authentication dedicated mechanism called RuleProcessor maps 
SAML2 parameters into Keystone groups. It's done by matching certain rules 
added by cloud administrators. However, Keystone doesn't check whether 
resulting groups are present in the backend. this may lead to errors  "mapping 
doesn't work as expected" due to a typo in the rule, or situations where group 
was deleted and admins are not aware of that fact.
The fix should include a function that checks whether all the groups are 
present in the backend and if not log a warning and remove nonexisting groups 
from the list. The same policy should be applied when scoping federated unsoped 
token.

** Affects: keystone
     Importance: Undecided
     Assignee: Marek Denis (marek-denis)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Marek Denis (marek-denis)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1290258

Title:
  Group ids are not validated after SAML2->groups mapping and federated
  token scoping

Status in OpenStack Identity (Keystone):
  New

Bug description:
  During federated authentication dedicated mechanism called RuleProcessor maps 
SAML2 parameters into Keystone groups. It's done by matching certain rules 
added by cloud administrators. However, Keystone doesn't check whether 
resulting groups are present in the backend. this may lead to errors  "mapping 
doesn't work as expected" due to a typo in the rule, or situations where group 
was deleted and admins are not aware of that fact.
  The fix should include a function that checks whether all the groups are 
present in the backend and if not log a warning and remove nonexisting groups 
from the list. The same policy should be applied when scoping federated unsoped 
token.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1290258/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to