Reviewed: https://review.openstack.org/491478 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d10908caa9909b9f178a59551f004a80a722cf2e Submitter: Jenkins Branch: master
commit d10908caa9909b9f178a59551f004a80a722cf2e Author: Colleen Murphy <[email protected]> Date: Mon Aug 7 14:17:20 2017 +0200 Document required `type` mapping attribute In order for a federated user to be mapped to a local user that exists in the identity backend, the user object in the local mapping rule must have the property "type": "local" set, in addition to having a keystone domain provided. This was probably not the original intention of the local user mapping spec[1], but this is how it ended up being implemented. We could choose to change the behavior of the code, but it has been around long enough that it is possible that deployments are depending on this behavior, and moreover making rules explicit rather than implicit reduces the risk of bugs and mistakes. This patch updates the api-ref documentation and the standard federation documentation to include the "type" property when mapping to local users. In addition, since we now have two keywords called "local" that mean somewhat different things, we expand the context of some of the mapping examples so that both the rule name "local" and the value "local" of the attribute "type" appear in the example, for clarity. Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884 Closes-bug: #1673157 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1673157 Title: type: local must be set in order to get domain parsed when mapping federated users Status in OpenStack Identity (keystone): Fix Released Bug description: Both the identity specs[1] and the federation guide[2] are stating : "Federated will be displayed if no domain is specified in the local rule. User is deemed ephemeral and becomes a member of service domain named Federated. If the domain is specified the local domain’s id will be displayed." I understand this as specifying a domain is enough for the user type to be set as "local" by the mapping engine. However, with the current implementation, setting a domain is useless unless "type" is set to "local". I believe the responsible code is here : https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597 Is this an implementation issue or a documentation issue ? TO REPRODUCE ============ $ cat input.txt HTTP_OIDC_ISS: https://dummy/ $ # see the attached rules.json file $ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt { "group_ids": [], "user": { "domain": { "id": "targetdomain" }, "type": "local", "id": "test", "name": "test" }, "projects": [], "group_names": [] } $ # remove the line '"type": "local"' from rules.json $ keystone-manage mapping_engine --rules /tmp/rules.json --input ajoga/test-input.txt { "group_ids": [], "user": { "domain": { "id": "Federated" }, "type": "ephemeral", "id": "test", "name": "test" }, "projects": [], "group_names": [] } [1] https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api [2] https://docs.openstack.org/developer/keystone/federation/federated_identity.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1673157/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
