Federated users are unable to create heat stacks.

Solution In Progress - Updated -

Issue

  • We have implemented federated users on OpenStack using OIDC. This works well except for the fact that no federated users are able to create heat stacks.

  • The creation fails with:

(os) [root@undercloud clone]# openstack stack create -t simple.yaml simple-test
ERROR: Missing required credential: roles [u'_member_']

  • This happens from both the command line and via horizon. All other functions work as expected, customers are able to build machines etc as normal.

  • The mapping works as follows :

SSO Group --> OpenStack Group --> Member Permission --> Project
  • Here is the mapping file we have used
[ {
            "local": [
                {
                    "user": {
                        "name": "{0}",
                        "email": "{0}"
                    },
                    "groups": "{1}",
                    "domain": {
                      "id" : "default"
                        }
}
            ],
            "remote": [
                {
                    "type": "OIDC-email"
                },
                {
                    "type": "OIDC-groups"
                }
            ]
        }]
  • All this does is match the group provided from Keyclock to its matching group in Openstack, The group in Openstack has the member role applied.

Environment

  • Red Hat OpenStack Platform 13.0 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content