Keystone Federation Mapping Rules.

Solution In Progress - Updated -

Issue

  • Are there additional mapping rule examples that will allow users belonging to multiple groups to be assigned to the correct projects for those groups?

  • We have used multiple project declarations in the local section (project: {1[0]}, project: {1[1]}, etc), which will create the projects and allow the user to log in; however, if there are more projects in the local rules than the user has access to, it causes a horizon timeout error.

  • We are looking for an example that would allow User-1 with groups B,D,E to access projects B,D,E but not A,C,F

  • We've tried the example; however, it is not working:

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "name": "federated_domain"
                    },
                    "name": "federated_users"
                }
            }
        ],
        "remote": [
            {
                "type": "MELLON_NAME_ID"
            },
            {
                "type": "MELLON_groups",
                "any_one_of": ["openstack.ocd98.test"]
            }
        ]
    }
]
  • We also tried creating the group and project and assigning the role and that didn't seem to work. We have to physically assign the user to the project for them to have access and that seems to defeat the purpose of this exercise.

Environment

  • Red Hat OpenStack Platform 13.0 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In