Reviewed: https://review.openstack.org/549723 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=475ea454ee06d4b3cf4d423aa26b2432e5928767 Submitter: Zuul Branch: master
commit 475ea454ee06d4b3cf4d423aa26b2432e5928767 Author: yangweiwei <[email protected]> Date: Thu Mar 22 19:26:08 2018 +0800 Fix user email in federated shadow users When the federated rule contains 'email' in user and we should set email for the federated user. Also, if the federated user changes the email info, it should be chenged too. Change-Id: Ib17172c34bd65d5236cbfc192b3a3f2b221411ef Closes-Bug: #1746599 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1746599 Title: User email not being set for federated shadow users Status in OpenStack Identity (keystone): Fix Released Bug description: keystone version: openstack-keystone-12.0.0-1.el7.noarch (RPM installed in a kolla container) We are using OpenID Connect federation with the following mapping rules: $ openstack mapping show map_rules -f json { "rules": [ { "local": [ { "user": { "name": "{0}", "email": "{4}" } }, { "projects": [ { "name": "{1}", "roles": [ { "name": "_member_" } ] } ] } ], "remote": [ { "type": "OIDC-upn" }, { "type": "OIDC-name" }, { "type": "OIDC-given_name" }, { "type": "OIDC-family_name" }, { "type": "OIDC-unique_name" } ] } ], "id": "map_rules" } Identity provider: $ openstack identity provider show openid-lab +-------------+---------------------------------------------------------------+ | Field | Value | +-------------+---------------------------------------------------------------+ | description | None | | domain_id | 98401b16aa754830aa7e3eab92e7603b | | enabled | True | | id | openid-lab | | remote_ids | https://sts.windows.net/xxx-xxx-xxx-xxx/ | +-------------+---------------------------------------------------------------+ Federation protocol: $ openstack federation protocol show --identity-provider openid-lab openid +---------+-----------+ | Field | Value | +---------+-----------+ | id | openid | | mapping | map_rules | +---------+-----------+ What should happen: I would expect the user to get created with the email set like this: $ openstack user show dbe5470baecb47fa95f3e0512b0f5744 +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 98401b16aa754830aa7e3eab92e7603b | | email | [email protected] | | enabled | True | | id | dbe5470baecb47fa95f3e0512b0f5744 | | name | [email protected] | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ What happens: The user email doesn't get added to the user: $ openstack user show dbe5470baecb47fa95f3e0512b0f5744 +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 98401b16aa754830aa7e3eab92e7603b | | enabled | True | | id | dbe5470baecb47fa95f3e0512b0f5744 | | name | [email protected] | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ I can see the email property getting mapped correctly in the logs: 2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] rules: [{u'remote': [{u'type': u'OIDC-upn'}, {u'type': u'OIDC-name'}, {u'type': u'OIDC-given_name'}, {u'type': u'OIDC-family_n ame'}, {u'type': u'OIDC-unique_name'}], u'local': [{u'user': {u'name': u'{0}', u'email': u'{4}'}}, {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/util s.py:518 2018-01-31 20:51:05.118 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'[email protected]'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone /federation/utils.py:816 2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/ utils.py:816 2018-01-31 20:51:05.119 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Martin'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.py: 816 2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'Chlumsky'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone/federation/utils.p y:816 2018-01-31 20:51:05.120 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] updating a direct mapping: [u'[email protected]'] _verify_all_requirements /usr/lib/python2.7/site-packages/keystone /federation/utils.py:816 2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac kages/keystone/federation/utils.py:698 2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'user': {u'name': u'{0}', u'email': u'{4}'}} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federati on/utils.py:699 2018-01-31 20:51:05.121 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac kages/keystone/federation/utils.py:698 2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{0}', u'email': u'{4}'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py :699 2018-01-31 20:51:05.122 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac kages/keystone/federation/utils.py:698 2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'projects': [{u'name': u'{1}', u'roles': [{u'name': u'_member_'}]}]} _update_local_mapping /usr/lib/python2.7/site-pa ckages/keystone/federation/utils.py:699 2018-01-31 20:51:05.123 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac kages/keystone/federation/utils.py:698 2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'{1}', u'roles': [{u'name': u'_member_'}]} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/f ederation/utils.py:699 2018-01-31 20:51:05.124 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] direct_maps: <keystone.federation.utils.DirectMaps object at 0x7f88a4546e50> _update_local_mapping /usr/lib/python2.7/site-pac kages/keystone/federation/utils.py:698 2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] local: {u'name': u'_member_'} _update_local_mapping /usr/lib/python2.7/site-packages/keystone/federation/utils.py:699 2018-01-31 20:51:05.125 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] identity_values: [{u'user': {u'name': u'[email protected]', u'email': u'[email protected]'}}, {u'projects' : [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}]}] process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:538 2018-01-31 20:51:05.126 19 DEBUG keystone.federation.utils [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] mapped_properties: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'[email protected]', u'email': u'[email protected]'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []} process /usr/lib/python2.7/site-packages/keystone/federation/utils.py:540 2018-01-31 20:51:05.126 19 INFO keystone.auth.plugins.mapped [req-13328b62-d2c7-43eb-926f-510443d8917f - - - - -] bifbaz: {'group_ids': [], 'user': {'domain': {'id': 'Federated'}, 'type': 'ephemeral', u'name': u'[email protected]', u'email': u'[email protected]'}, 'projects': [{u'name': u'Martin Chlumsky', u'roles': [{u'name': u'_member_'}]}], 'group_names': []} To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1746599/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
