Public bug reported: Both the identity specs[1] and the federation guide[2] are stating : "Federated will be displayed if no domain is specified in the local rule. User is deemed ephemeral and becomes a member of service domain named Federated. If the domain is specified the local domain’s id will be displayed."
I understand this as specifying a domain is enough for the user type to be set as "local" by the mapping engine. However, with the current implementation, setting a domain is useless unless "type" is set to "local". I believe the responsible code is here : https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597 Is this an implementation issue or a documentation issue ? TO REPRODUCE ============ $ cat input.txt HTTP_OIDC_ISS: https://dummy/ $ # see the attached rules.json file $ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt { "group_ids": [], "user": { "domain": { "id": "targetdomain" }, "type": "local", "id": "test", "name": "test" }, "projects": [], "group_names": [] } $ # remove the line '"type": "local"' from rules.json $ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt { "group_ids": [], "user": { "domain": { "id": "Federated" }, "type": "ephemeral", "id": "test", "name": "test" }, "projects": [], "group_names": [] } [1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api [2] https://docs.openstack.org/developer/keystone/federation/federated_identity.html ** Affects: keystone Importance: Undecided Status: New ** Attachment added: "rules.json" https://bugs.launchpad.net/bugs/1673157/+attachment/4838346/+files/rules.json -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1673157 Title: type: local must be set in order to get domain parse when mapping federated users Status in OpenStack Identity (keystone): New Bug description: Both the identity specs[1] and the federation guide[2] are stating : "Federated will be displayed if no domain is specified in the local rule. User is deemed ephemeral and becomes a member of service domain named Federated. If the domain is specified the local domain’s id will be displayed." I understand this as specifying a domain is enough for the user type to be set as "local" by the mapping engine. However, with the current implementation, setting a domain is useless unless "type" is set to "local". I believe the responsible code is here : https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597 Is this an implementation issue or a documentation issue ? TO REPRODUCE ============ $ cat input.txt HTTP_OIDC_ISS: https://dummy/ $ # see the attached rules.json file $ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt { "group_ids": [], "user": { "domain": { "id": "targetdomain" }, "type": "local", "id": "test", "name": "test" }, "projects": [], "group_names": [] } $ # remove the line '"type": "local"' from rules.json $ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt { "group_ids": [], "user": { "domain": { "id": "Federated" }, "type": "ephemeral", "id": "test", "name": "test" }, "projects": [], "group_names": [] } [1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api [2] https://docs.openstack.org/developer/keystone/federation/federated_identity.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1673157/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
