Description of problem: Keystone federation was implemented after trusts. But trusts don't work with federation. It would be good if they did work together. Raised upstream here: https://bugs.launchpad.net/keystone/+bug/1600366 Version-Release number of selected component (if applicable): All How reproducible: All deployments suffer from this. Steps to Reproduce: 1. 2. 3. Actual results: Federation and trusts don't work together at all. Expected results: Federation and trusts should work together. Additional info:
Affects heat, as seen here: https://bugzilla.redhat.com/show_bug.cgi?id=1480067
Also see: https://review.openstack.org/#/c/415895/
In my testing, if you use a mapping for your federated users, it will work for trusts and Heat. The change (https://blueprints.launchpad.net/keystone/+spec/shadow-mapping) landed in Ocata and is in OSP11.
*** Bug 1480067 has been marked as a duplicate of this bug. ***
Per Cu. comment, this RFE is no longer requested. Closing as WONTFIX -- please re-open if the RFE is re-requested.
Got another customer hitting this issue again so I'm re-opening.
This is for RHOSP13 and not RHOSP10.
The current shadow user doesn't scale well with this: ~~~ [ { "local": [ { "user": { "name": "{0}", "email": "{0}" }, "groups": "{1}", "domain": { "id" : "default" } } ], "remote": [ { "type": "OIDC-email" }, { "type": "OIDC-groups" } ] }] ~~~ Where would you add "_member_" roles to the existing groups created by various customer using this federated platform ?
Hi, commeneting so i get updates. Please feel free to reachout if you need additional info. Just to expand on the above comments. We use Key cloak, and don't want to have to manage a mapping file which would grow to be massive and unusable, as we are a public cloud.
*** This bug has been marked as a duplicate of bug 1590932 ***