Public bug reported: When a trust is created a trustor user is required to have a role on a project in question. This is verified via a call to the keystone database without looking at roles that can be inferred from federated groups present in a token.
In this scenario a federated user does not have any direct role assignments in the Keystone database - only the ones that can be inferred from federated group membership. https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L141 https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L172-L178 A call to /v3/auth/tokens which verifies that "roles" for groups present in "OS-FEDERATION" section are properly populated: http://paste.openstack.org/show/753298/ "roles": [ { "id": "e4ab04a7c6ec4c91a826b2a3ba333407", "domain_id": null, "name": "Member" } # ... "user": { "OS-FEDERATION": { "identity_provider": { "id": "adfs" }, "protocol": { "id": "mapped" }, "groups": [ { "id": "7594d86688c54ee2aab4c9df020f5468" } ] }, This bug is similar to this one for application credentials: https://bugs.launchpad.net/keystone/+bug/1832092 Users, Member role and role assignments: http://paste.openstack.org/show/753300/ The issue was discovered while troubleshooting "Error: ERROR: Missing required credential: roles [u'Member']" showed by heat dashboard during a stack creation: http://paste.openstack.org/show/753301/ (heat API rpdb trace where a Keystone trust API call is made) Keystone side: http://paste.openstack.org/show/753302/ (keystone trust API rpdb trace) ** Affects: keystone Importance: Undecided Status: New ** Tags: cpe-onsite -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1834009 Title: Trust API does not support delegating federated roles (roles obtained from federated groups) Status in OpenStack Identity (keystone): New Bug description: When a trust is created a trustor user is required to have a role on a project in question. This is verified via a call to the keystone database without looking at roles that can be inferred from federated groups present in a token. In this scenario a federated user does not have any direct role assignments in the Keystone database - only the ones that can be inferred from federated group membership. https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L141 https://opendev.org/openstack/keystone/src/branch/stable/queens/keystone/trust/controllers.py#L172-L178 A call to /v3/auth/tokens which verifies that "roles" for groups present in "OS-FEDERATION" section are properly populated: http://paste.openstack.org/show/753298/ "roles": [ { "id": "e4ab04a7c6ec4c91a826b2a3ba333407", "domain_id": null, "name": "Member" } # ... "user": { "OS-FEDERATION": { "identity_provider": { "id": "adfs" }, "protocol": { "id": "mapped" }, "groups": [ { "id": "7594d86688c54ee2aab4c9df020f5468" } ] }, This bug is similar to this one for application credentials: https://bugs.launchpad.net/keystone/+bug/1832092 Users, Member role and role assignments: http://paste.openstack.org/show/753300/ The issue was discovered while troubleshooting "Error: ERROR: Missing required credential: roles [u'Member']" showed by heat dashboard during a stack creation: http://paste.openstack.org/show/753301/ (heat API rpdb trace where a Keystone trust API call is made) Keystone side: http://paste.openstack.org/show/753302/ (keystone trust API rpdb trace) To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1834009/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp