[Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json
Marc Heckmann
marc.heckmann at ubisoft.com
Tue Jun 14 15:03:38 UTC 2016
See below.
On Mon, 2016-06-13 at 22:12 -0400, Adam Young wrote:
> On 06/13/2016 07:08 PM, Marc Heckmann wrote:
> >
> > Hi,
> >
> > I currently have a lab setup using SAML2 federation with Microsoft
> > ADFS.
> >
> > The federation part itself works wonderfully. However, I'm also
> > trying
> > to use the new project as domains feature along with the Keystone
> > v3
> > sample policy.json file for Keystone:
> >
> > The idea is that I should be able to map users who are in a
> > specific
> > group in Active Directory to the admin role in a specific domain.
> > This
> > should work for Keystone with the sample v3 policy (let's ignore
> > problems with the admin role in other projects such as Nova). In
> > this
> > case I'm using the new project as domains feature, but I suspect
> > that
> > the problem would apply to regular domains as well.
> >
> > The mapping works properly with the important caveat that the user
> > domain does not match the domain of the project(s) that I'm
> > assigning
> > the admin role to. Users who come in from Federation always belong
> > to
> > the "Federated" domain. This is the case even if I pre-create the
> > users
> > locally in a specific domain. This breaks sample v3 policy.json
> > because
> > the rules expect the user's domain to match the project's domain.
> >
> > Does anyone know if there is anyway to achieve what I'm trying to
> > do
> > when using Federation?
> Can you post your mapping file? Might be easier to tell from that
> what
> you are trying to do?
Here is the simple mapping that I started with. The "upn" and "groups"
types are defined from the SAML claims using a mod_auth_mellon config
(see below). The mapping between ADFS groups and local Keystone groups
works great.
[
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"groups": "{1}",
"domain": {
"id": "default"
}
}
],
"remote": [
{
"type": "upn"
},
{
"type": "groups"
}
]
}
]
Here is the group role assignment command that I'm using. The Active
Directory user is a member of the "Beta" AD group.
"openstack role add --group-domain default --project-domain betaproj --
project adminproj --group Beta admin"
The role assignment works fine.
I then tried to use the following mapping to force the user into the a
specific domain, but it didn't change anything:
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "betaproj"
}
}
},
{
"groups": "{1}",
"domain": {
"name": "betaproj"
}
}
],
"remote": [
{
"type": "upn"
},
{
"type": "groups"
}
]
}
]
For completeness, The aforementioned Mellon config:
MellonSetEnvNoPrefix upn http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/upn
MellonSetEnvNoPrefix groups http://schemas.xmlsoap.org/claims/Group
MellonMergeEnvVars On
Thanks again.
-m
>
> >
> >
> > Thanks in advance.
> >
> > -m
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-opera
> > tors
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operato
> rs
More information about the OpenStack-operators
mailing list