Reviewed:  https://review.openstack.org/491478
Committed: 
https://git.openstack.org/cgit/openstack/keystone/commit/?id=d10908caa9909b9f178a59551f004a80a722cf2e
Submitter: Jenkins
Branch:    master

commit d10908caa9909b9f178a59551f004a80a722cf2e
Author: Colleen Murphy <colleen.mur...@suse.com>
Date:   Mon Aug 7 14:17:20 2017 +0200

    Document required `type` mapping attribute
    
    In order for a federated user to be mapped to a local user that exists
    in the identity backend, the user object in the local mapping rule must
    have the property "type": "local" set, in addition to having a keystone
    domain provided. This was probably not the original intention of the
    local user mapping spec[1], but this is how it ended up being
    implemented. We could choose to change the behavior of the code, but
    it has been around long enough that it is possible that deployments are
    depending on this behavior, and moreover making rules explicit rather
    than implicit reduces the risk of bugs and mistakes.
    
    This patch updates the api-ref documentation and the standard federation
    documentation to include the "type" property when mapping to local
    users. In addition, since we now have two keywords called "local" that
    mean somewhat different things, we expand the context of some of the
    mapping examples so that both the rule name "local" and the value
    "local" of the attribute "type" appear in the example, for clarity.
    
    Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884
    Closes-bug: #1673157


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1673157

Title:
  type: local must be set in order to get domain parsed when mapping
  federated users

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Both the identity specs[1] and the federation guide[2] are stating :
  "Federated will be displayed if no domain is specified in the local
  rule. User is deemed ephemeral and becomes a member of service domain
  named Federated. If the domain is specified the local domain’s id will
  be displayed."

  I understand this as specifying a domain is enough for the user type
  to be set as "local" by the mapping engine. However, with the current
  implementation, setting a domain is useless unless "type" is set to
  "local".

  I believe the responsible code is here :
  
https://github.com/openstack/keystone/blob/169e66ab8800148c4052a46d2cb321af33e44f77/keystone/federation/utils.py#L582-L597

  Is this an implementation issue or a documentation issue ?

  TO REPRODUCE
  ============
  $ cat input.txt
  HTTP_OIDC_ISS: https://dummy/

  $ # see the attached rules.json file

  $ keystone-manage mapping_engine --rules /tmp/rules.json --input 
ajoga/test-input.txt 
  {
    "group_ids": [], 
    "user": {
      "domain": {
        "id": "targetdomain"
      }, 
      "type": "local", 
      "id": "test", 
      "name": "test"
    }, 
    "projects": [], 
    "group_names": []
  }
  $ # remove the line '"type": "local"' from rules.json 
  $ keystone-manage mapping_engine --rules /tmp/rules.json --input 
ajoga/test-input.txt 
  {
    "group_ids": [], 
    "user": {
      "domain": {
        "id": "Federated"
      }, 
      "type": "ephemeral", 
      "id": "test", 
      "name": "test"
    }, 
    "projects": [], 
    "group_names": []
  }


  [1] 
https://developer.openstack.org/api-ref/identity/v3-ext/index.html#os-federation-api
  [2] 
https://docs.openstack.org/developer/keystone/federation/federated_identity.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1673157/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to