| *** marlinc is now known as Guest1758 | 11:42 | |
| oneswig | Hi - I have a problem with mapping a list of projects in an OIDC assertion into a list of groups in Keystone. If the expansion is anything more elaborate than "{0}" it doesn't work. For example, if I have a groups mapping of "Federated-{0}-users", and an OIDC claim of "['project1', 'project2']", what I'd like to see is a group mapping of ['Federated-project1-users', 'Federated-project2-users'] and what I actually get is "Federat | 13:25 |
|---|---|---|
| oneswig | ed-['project1', 'project2']-users". Am I doing something wrong here? | 13:25 |
| oneswig | There's a list elaboration that looks right at first here - https://github.com/openstack/keystone/blob/stable/wallaby/keystone/federation/utils.py#L749-L751 - but it's elaborating over list data in the local mapping, not the values from the OIDC claims. | 13:30 |
| *** dasm|off is now known as dasm | 13:36 | |
| knikolla | hi oneswig, yeah, I don't think the code is smart enough to do what you're asking of it. It's just going to blindly replace {x} with whatever is in there, in this case it's a list and place it in the middle of a string. | 14:22 |
| knikolla | It might be possible in your identity provider to prepend the attributes in the claim though, so that they're already formatted in your desired way. Or you could place those groups in a dedicated domain so that the 'federated' part is implied by being in a special domain. | 14:23 |
| oneswig | Thanks knikolla, that's helpful. It works if we drop the prefixes and suffixes for group names. The issue is if a claim was made for a project that conflicted with some other group that I need... | 14:26 |
| knikolla | oneswig: That's why I suggested creating a new domain just for those groups. That would prevent conflicts. | 14:31 |
| knikolla | What are you using as an IdP? | 14:33 |
| oneswig | It's an OIDC implementation, I'm not sure what, probably Keycloak. I don't have much ability to change it. | 14:45 |
| knikolla | I see. | 14:45 |
| oneswig | So our admin users group could be in the default domain, and the federated domain could contain no groups but the ones created from OIDC project names? I think that would work! | 14:46 |
| knikolla | Yes | 14:51 |
| oneswig | Thanks knikolla that's helpful | 14:57 |
| knikolla | glad i could help | 15:05 |
| opendevreview | Grzegorz Grasza proposed openstack/keystone master: Properly instantiate FernetUtils https://review.opendev.org/c/openstack/keystone/+/697604 | 15:45 |
| d34dh0r53 | Keystone review-a-thon is kicking off here https://meet.google.com/drx-yoqc-nzs?authuser=0 if anyone is interested | 16:00 |
| opendevreview | Douglas Viroel proposed openstack/keystone-tempest-plugin master: Replace Identity client endpoint type https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/827910 | 17:48 |
| opendevreview | Merged openstack/keystone master: Add details to bootstrap docs for system role assignments https://review.opendev.org/c/openstack/keystone/+/770651 | 18:49 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: sql: Prepare for alembic migration https://review.opendev.org/c/openstack/keystone/+/825843 | 19:35 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: WIP: sql: Integrate alembic https://review.opendev.org/c/openstack/keystone/+/825844 | 19:35 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: WIP: sql: Add support for auto-generation https://review.opendev.org/c/openstack/keystone/+/826147 | 19:35 |
| opendevreview | Stephen Finucane proposed openstack/keystone master: sql: Remove dead helpers https://review.opendev.org/c/openstack/keystone/+/827915 | 19:35 |
| *** dviroel|ruck is now known as dviroel|out | 22:06 | |
| *** dasm is now known as dasm|off | 22:13 | |
| opendevreview | Merged openstack/keystone master: sql: Remove legacy 'migrate_repo' migration repo https://review.opendev.org/c/openstack/keystone/+/823666 | 22:41 |
| opendevreview | Merged openstack/keystone master: sql: Rename initial migrations https://review.opendev.org/c/openstack/keystone/+/823667 | 22:54 |
| opendevreview | Merged openstack/keystone master: Add 'StandardLogging' fixture https://review.opendev.org/c/openstack/keystone/+/824776 | 22:54 |
| opendevreview | Merged openstack/keystone master: Add generate schemas tool https://review.opendev.org/c/openstack/keystone/+/824777 | 22:56 |
| opendevreview | Merged openstack/keystone master: sql: Remove 'get_init_version' https://review.opendev.org/c/openstack/keystone/+/825376 | 22:56 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!