[openstack-dev] [keystone]trusts with federated users

Adam Young ayoung at redhat.com
Wed Jun 8 01:14:27 UTC 2016

On 06/07/2016 10:28 AM, Gyorgy Szombathelyi wrote:
> Hi!
> As an OIDC user, tried to play with Heat and Murano recently. They usually fail with a trust creation error, noticing that keystone cannot find the _member_ role while creating the trust.
Hmmm...that should not be the case.  The user in question should have a 
role on the project, but getting it via a group is OK.

I suspect the problem is the Ephemeral nature of Federated users. With 
the Shadow user construct (under construction) there would be something 
to use.

Please file a bug on this and assign it to me (or notify me if you can't 

> Since a federated user is not really have a role in a project, but it is a member of a group, which has the appropriate role(s), I suspect that this will never work with Federation?
> Or is it a known/general problem with trusts and groups? I cannot really decide if it is a problem at the Heat, or the Keystone side, can you give me some advice?
> If it is not an error in the code, but in my setup, then please forgive me this stupid question.
> Br,
> György
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list