With https://review.openstack.org/#/c/399684/ implemented, this should
no longer be an issue. Federated users should resolve to a domain, and
in the default case, the domain of the identity provider. This is the
behavior as of the Ocata release.
** Changed in: keystone
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1645910
Title:
Trust creation for SSO users fails in assert_user_enabled
Status in OpenStack Identity (keystone):
Invalid
Bug description:
Openstack version: Mitaka
Operation: Heat stack/trust creation for SSO users
For SSO users, keystone trust creation workflow fails while asserting
that the user is enabled.
The assert_user_enabled() function in keystone/identity/core.py fails at the
below line:
self.resource_api.assert_domain_enabled(user['domain_id'])
Since user['domain_id'] throws a KeyError for federated users, this
function raises an exception. To avoid this failure, we should invoke
assert_domain_enabled() check conditionally only for local users.
Proposing to add a 'is_local' user flag to distinguish between local
and federated users so that we can conditionally assert the user
domain and do other such things.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1645910/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
