[openstack-dev] [keystone]trusts with federated users
ayoung at redhat.com
Wed Jun 8 01:14:27 UTC 2016
On 06/07/2016 10:28 AM, Gyorgy Szombathelyi wrote:
> As an OIDC user, tried to play with Heat and Murano recently. They usually fail with a trust creation error, noticing that keystone cannot find the _member_ role while creating the trust.
Hmmm...that should not be the case. The user in question should have a
role on the project, but getting it via a group is OK.
I suspect the problem is the Ephemeral nature of Federated users. With
the Shadow user construct (under construction) there would be something
Please file a bug on this and assign it to me (or notify me if you can't
> Since a federated user is not really have a role in a project, but it is a member of a group, which has the appropriate role(s), I suspect that this will never work with Federation?
> Or is it a known/general problem with trusts and groups? I cannot really decide if it is a problem at the Heat, or the Keystone side, can you give me some advice?
> If it is not an error in the code, but in my setup, then please forgive me this stupid question.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
More information about the OpenStack-dev