[RFE] Keystone identity mapping to support project definition as a JSON
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
In Progress
|
Undecided
|
Rafael Weingartner | ||
Bug Description
Problem Description
=================
This proposal depends on https:/
Currently, the project assignment via the federated identity mapping is rather static. This happens because of the find/replace mechanism that we have in place there. Therefore, if the IdP provider generates an attribute that contains a JSON with project definitions, we are not able to handle it in Keystone.
This proposal introduces a new property in the federated identity mapping schema called `projects_json`. In the schema, this property will accept a JSON string, that defines all of the projects and their specific roles that the user must receive when login-in to the OpenStack platform. Moreover, when using this extension, roles (assigned to projects) are added and removed on the fly.
Proposed Change
===============
The extension is quite straight forward. We created a new "federation_
Furthermore, we added code to handle the addition of extra roles for projects and removal of roles that are present in OpenStack, but are not in the IdP data. This is a mechanism to make the state of the OpenStack federated user consistent with the Identity provider user attributes.
| description: | updated |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #1 |
| Changed in keystone: | |
| assignee: | nobody → Rafael Weingartner (rafaelweingartner) |
| status: | New → In Progress |
Fix proposed to branch: master
Review: https:/