Comment 0 for bug 1888412

Revision history for this message
Rafael Weingartner (rafaelweingartner) wrote :

Problem Description
=================
This proposal depends on https://bugs.launchpad.net/keystone/+bug/1887515, which is the proposal that enhances the identity mapping schema management. Therefore, we first need to get that reviewed and merged.

Currently, the project assignment via the federated identity mapping is rather static. This happens because of the find/replace mechanism that we have in place there. Therefore, if the IdP provider generates an attribute that contains a JSON with project definitions, we are not able to handle it in Keystone.

This proposal introduces a new property in the federated identity mapping schema called `projects_json`. In the schema, this property will accept a JSON string, that defines all of the projects and their specific roles that the user must receive when login-in to the OpenStack platform. Moreover, when using this

Proposed Change
===============
The extension is quite straight forward. We created a new "federation_attribute_mapping_schema_version" version (1.2). This new version enables the handling of `project_json` in the attribute mapping.

Furthermore, we added code to handle the addition of extra roles for projects and removal of roles that are present in OpenStack, but are not in the IdP data. This is a mechanism to make the state of the OpenStack federated user consistent with the Identity provider user attributes.