** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1290258
Title:
Group ids are not validated after SAML2->groups mapping and federated
token scoping
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
During federated authentication dedicated mechanism called RuleProcessor maps
SAML2 parameters into Keystone groups. It's done by matching certain rules
added by cloud administrators. However, Keystone doesn't check whether
resulting groups are present in the backend. this may lead to errors "mapping
doesn't work as expected" due to a typo in the rule, or situations where group
was deleted and admins are not aware of that fact.
The fix should include a function that checks whether all the groups are
present in the backend and if not log a warning and remove nonexisting groups
from the list. The same policy should be applied when scoping federated unsoped
token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1290258/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
