Re: [Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json
See below.
On Mon, 2016-06-13 at 22:12 -0400, Adam Young wrote:
> On 06/13/2016 07:08 PM, Marc Heckmann wrote:
> >
> > Hi,
> >
> > I currently have a lab setup using SAML2 federation with Microsoft
> > ADFS.
> >
> > The federation part itself works wonderfully. However, I'm also
> > trying
> > to use the new project as domains feature along with the Keystone
> > v3
> > sample policy.json file for Keystone:
> >
> > The idea is that I should be able to map users who are in a
> > specific
> > group in Active Directory to the admin role in a specific domain.
> > This
> > should work for Keystone with the sample v3 policy (let's ignore
> > problems with the admin role in other projects such as Nova). In
> > this
> > case I'm using the new project as domains feature, but I suspect
> > that
> > the problem would apply to regular domains as well.
> >
> > The mapping works properly with the important caveat that the user
> > domain does not match the domain of the project(s) that I'm
> > assigning
> > the admin role to. Users who come in from Federation always belong
> > to
> > the "Federated" domain. This is the case even if I pre-create the
> > users
> > locally in a specific domain. This breaks sample v3 policy.json
> > because
> > the rules expect the user's domain to match the project's domain.
> >
> > Does anyone know if there is anyway to achieve what I'm trying to
> > do
> > when using Federation?
> Can you post your mapping file? Might be easier to tell from that
> what
> you are trying to do?
Here is the simple mapping that I started with. The "upn" and "groups"
types are defined from the SAML claims using a mod_auth_mellon config
(see below). The mapping between ADFS groups and local Keystone groups
works great.
[
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"groups": "{1}",
"domain": {
"id": "default"
}
}
],
"remote": [
{
"type": "upn"
},
{
"type": "groups"
}
]
}
]
Here is the group role assignment command that I'm using. The Active
Directory user is a member of the "Beta" AD group.
"openstack role add --group-domain default --project-domain betaproj --
project adminproj --group Beta admin"
The role assignment works fine.
I then tried to use the following mapping to force the user into the a
specific domain, but it didn't change anything:
[
{
"local": [
{
"user": {
"name": "{0}",
"domain": {
"name": "betaproj"
}
}
},
{
"groups": "{1}",
"domain": {
"name": "betaproj"
}
}
],
"remote": [
{
"type": "upn"
},
{
"type": "groups"
}
]
}
]
For completeness, The aforementioned Mellon config:
MellonSetEnvNoPrefix upn http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/upn
MellonSetEnvNoPrefix groups http://schemas.xmlsoap.org/claims/Group
MellonMergeEnvVars On
Thanks again.
-m
>
> >
> >
> > Thanks in advance.
> >
> > -m
> >
> > ___
> > OpenStack-operators mailing list
> > OpenStack-operators@lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-opera
> > tors
>
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operato
> rs
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json
On 06/13/2016 07:08 PM, Marc Heckmann wrote: Hi, I currently have a lab setup using SAML2 federation with Microsoft ADFS. The federation part itself works wonderfully. However, I'm also trying to use the new project as domains feature along with the Keystone v3 sample policy.json file for Keystone: The idea is that I should be able to map users who are in a specific group in Active Directory to the admin role in a specific domain. This should work for Keystone with the sample v3 policy (let's ignore problems with the admin role in other projects such as Nova). In this case I'm using the new project as domains feature, but I suspect that the problem would apply to regular domains as well. The mapping works properly with the important caveat that the user domain does not match the domain of the project(s) that I'm assigning the admin role to. Users who come in from Federation always belong to the "Federated" domain. This is the case even if I pre-create the users locally in a specific domain. This breaks sample v3 policy.json because the rules expect the user's domain to match the project's domain. Does anyone know if there is anyway to achieve what I'm trying to do when using Federation? Can you post your mapping file? Might be easier to tell from that what you are trying to do? Thanks in advance. -m ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json
Hi, I currently have a lab setup using SAML2 federation with Microsoft ADFS. The federation part itself works wonderfully. However, I'm also trying to use the new project as domains feature along with the Keystone v3 sample policy.json file for Keystone: The idea is that I should be able to map users who are in a specific group in Active Directory to the admin role in a specific domain. This should work for Keystone with the sample v3 policy (let's ignore problems with the admin role in other projects such as Nova). In this case I'm using the new project as domains feature, but I suspect that the problem would apply to regular domains as well. The mapping works properly with the important caveat that the user domain does not match the domain of the project(s) that I'm assigning the admin role to. Users who come in from Federation always belong to the "Federated" domain. This is the case even if I pre-create the users locally in a specific domain. This breaks sample v3 policy.json because the rules expect the user's domain to match the project's domain. Does anyone know if there is anyway to achieve what I'm trying to do when using Federation? Thanks in advance. -m ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
