Bug 1487459

Summary: [RFE] cannot use trusts with federated users in keystone
Product: Red Hat OpenStack Reporter: August Simonelli <asimonel>
Component: openstack-keystoneAssignee: Dave Wilde <dwilde>
Status: CLOSED DUPLICATE QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: dhill, dwilde, hrybacki, jbiao, lbragsta, mnadeem, nkinder, pablo.iranzo, sclewis, sputhenp, srelf, srevivo, therve
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---Flags: ifrangs: needinfo? (dwilde)
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-17 18:03:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description August Simonelli 2017-09-01 00:43:20 UTC 
Description of problem:

Keystone federation was implemented after trusts. But trusts don't work with federation. It would be good if they did work together.

Raised upstream here: https://bugs.launchpad.net/keystone/+bug/1600366


Version-Release number of selected component (if applicable):
All

How reproducible:
All deployments suffer from this.

Steps to Reproduce:
1.
2.
3.

Actual results:
Federation and trusts don't work together at all.

Expected results:
Federation and trusts should work together.

Additional info:
Comment 1 August Simonelli 2017-09-01 00:43:50 UTC 
Affects heat, as seen here: https://bugzilla.redhat.com/show_bug.cgi?id=1480067
Comment 4 August Simonelli 2017-09-12 03:41:04 UTC 
Also see: https://review.openstack.org/#/c/415895/
Comment 5 Thomas Hervé 2017-09-13 22:32:02 UTC 
In my testing, if you use a mapping for your federated users, it will work for trusts and Heat. The change (https://blueprints.launchpad.net/keystone/+spec/shadow-mapping) landed in Ocata and is in OSP11.
Comment 6 Thomas Hervé 2017-09-21 14:30:57 UTC 
*** Bug 1480067 has been marked as a duplicate of this bug. ***
Comment 18 Harry Rybacki 2018-11-01 20:08:32 UTC 
Per Cu. comment, this RFE is no longer requested. Closing as WONTFIX -- please re-open if the RFE is re-requested.
Comment 19 David Hill 2020-03-27 13:56:35 UTC 
Got another customer hitting this issue again so I'm re-opening.
Comment 20 David Hill 2020-03-27 13:59:23 UTC 
This is for RHOSP13 and not RHOSP10.
Comment 21 David Hill 2020-03-27 14:29:41 UTC 
The current shadow user doesn't scale well with this:
~~~
[ {
            "local": [
                {
                    "user": {
                        "name": "{0}",
                        "email": "{0}"
                    },
                    "groups": "{1}",
                    "domain": {
                      "id" : "default"
                        }
}
            ],
            "remote": [
                {
                    "type": "OIDC-email"
                },
                {
                    "type": "OIDC-groups"
                }
            ]
        }]
~~~

Where would you add "_member_" roles to the existing groups created by various customer using this federated platform ?
Comment 22 Steve Relf 2020-04-06 21:22:10 UTC 
Hi, commeneting so i get updates. Please feel free to reachout if you need additional info.

Just to expand on the above comments. 

We use Key cloak, and don't want to have to manage a mapping file which would grow to be massive and unusable, as we are a public cloud.
Comment 28 Dave Wilde 2022-03-17 18:03:36 UTC 

*** This bug has been marked as a duplicate of bug 1590932 ***