1097992 – [RFE][keystone]: Keystone to Keystone federation

Bug 1097992 - [RFE][keystone]: Keystone to Keystone federation

Summary: [RFE][keystone]: Keystone to Keystone federation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z2
Target Release:	6.0 (Juno)
Assignee:	Nathan Kinder
QA Contact:	Mike Abrams
Docs Contact:
URL:	https://blueprints.launchpad.net/keys...
Whiteboard:	upstream_milestone_juno-rc1 upstream_...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-15 04:04 UTC by RHOS Integration
Modified:	2016-04-26 21:41 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-keystone-2014.2-1.el7ost
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 18:20:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0639	0	normal	SHIPPED_LIVE	openstack-keystone bug fix advisory	2015-03-06 19:32:03 UTC

Description RHOS Integration 2014-05-15 04:04:32 UTC

Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/keystone-to-keystone-federation.

Description:

CERN has one openstack cloud setup ("internal cloud") within their data center. They have the keystone sitting on top of an LDAP instance. They would like to burst cloud workload between multiple public cloud service providers ("CSP") should their internal cloud not have enough bandwidth or storage. They would like to provide seamless access for their internal cloud identities. Those identities currently use openstack clients (nova-client, keystone-client) and would like to continue to do so without many changes.
Flow:
a. AuthN against CERN keystone using my credentials
b. Get a token back with a service catalog showing CERN openstack services (nova, swift, etc) and the CSP service catalog
c. Attempt to use the token against CSP nova service
d. CSP nova service calls CSP keystone (no change)
e. CSP keystone deciphers the token belonging to the CERN keystone IdP (which it sees as being setup as a trusted identity provider with attribute mappings we need to use)
f. CSP keystone calls CERN keystone (SAML or other federation protocol request and negotiation)
g. CERN keystone shows CSP setup as a trusted service provider (with attribute mappings it should expect)
h. CERN Keystone returns back a SAML (or other federation protocol) assertion to CSP Keystone
i. CSP keystone deciphers the assertion and provisions a temporary user. The token is deemed valid and stored in CSP keystone for future validation calls until expiration

Specification URL (additional information):

None

Comment 2 Udi Kalifon 2014-11-20 15:42:43 UTC

This will not be possible until we have mod_mellon in RHEL 7.1. This should not be a "High" priority RFE for RHOS6 GA.

Comment 4 Arthur Berezin 2014-12-28 15:33:27 UTC

RHEL7.1 Beta is out, we should be able to test this now.

Comment 7 Arthur Berezin 2015-02-16 09:09:17 UTC

Pushing this to next async release

Comment 9 errata-xmlrpc 2015-03-05 18:20:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0639.html

Note You need to log in before you can comment on or make changes to this bug.