[Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json

Marc Heckmann marc.heckmann at ubisoft.com
Tue Jun 14 15:03:38 UTC 2016


See below.

On Mon, 2016-06-13 at 22:12 -0400, Adam Young wrote:
> On 06/13/2016 07:08 PM, Marc Heckmann wrote:
> > 
> > Hi,
> > 
> > I currently have a lab setup using SAML2 federation with Microsoft
> > ADFS.
> > 
> > The federation part itself works wonderfully. However, I'm also
> > trying
> > to use the new project as domains feature along with the Keystone
> > v3
> > sample policy.json file for Keystone:
> > 
> > The idea is that I should be able to map users who are in a
> > specific
> > group in Active Directory to the admin role in a specific domain.
> > This
> > should work for Keystone with the sample v3 policy (let's ignore
> > problems with the admin role in other projects such as Nova). In
> > this
> > case I'm using the new project as domains feature, but I suspect
> > that
> > the problem would apply to regular domains as well.
> > 
> > The mapping works properly with the important caveat that the user
> > domain does not match the domain of the project(s) that I'm
> > assigning
> > the admin role to. Users who come in from Federation always belong
> > to
> > the "Federated" domain. This is the case even if I pre-create the
> > users
> > locally in a specific domain. This breaks sample v3 policy.json
> > because
> > the rules expect the user's domain to match the project's domain.
> > 
> > Does anyone know if there is anyway to achieve what I'm trying to
> > do
> > when using Federation?
> Can you post your mapping file?  Might be easier to tell from that
> what 
> you are trying to do?

Here is the simple mapping that I started with. The "upn" and "groups"
types are defined from the SAML claims using a mod_auth_mellon config
(see below). The mapping between ADFS groups and local Keystone groups
works great. 

  [
    {
      "local": [
        {
          "user": {
            "name": "{0}"
          }
        },
        {
          "groups": "{1}",
          "domain": {
            "id": "default"
          }
        }
      ],
      "remote": [
        {
          "type": "upn"
        },
        {
          "type": "groups"
        }
      ]
    }
  ]

Here is the group role assignment command that I'm using. The Active
Directory user is a member of the "Beta" AD group. 

"openstack role add --group-domain default --project-domain betaproj --
project adminproj --group Beta admin"

The role assignment works fine.

I then tried to use the following mapping to force the user into the a
specific domain, but it didn't change anything:

  [
    {
      "local": [
        {
          "user": {
            "name": "{0}",
            "domain": {
              "name": "betaproj"
            }
          }
        },
        {
          "groups": "{1}",
          "domain": {
            "name": "betaproj"
          }
        }
      ],
      "remote": [
        {
          "type": "upn"
        },
        {
          "type": "groups"
        }
      ]
    }
  ]

For completeness, The aforementioned Mellon config:

MellonSetEnvNoPrefix upn http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/upn
MellonSetEnvNoPrefix groups http://schemas.xmlsoap.org/claims/Group
MellonMergeEnvVars On

Thanks again.

-m

> 
> > 
> > 
> > Thanks in advance.
> > 
> > -m
> > 
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-opera
> > tors
> 
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operato
> rs


More information about the OpenStack-operators mailing list