Research: Keystone mapping engine supports multivalue role mapping

SovereignCloudStack / issues

This repository is used for issues that are cross-repository or not bound to a specific repository.

https://github.com/orgs/SovereignCloudStack/projects/6

2 stars 1 forks source link

Research: Keystone mapping engine supports multivalue role mapping #361

Open JuanPTM opened 1 year ago

JuanPTM commented 1 year ago

there are several points to this:

Keystone only splits multivalues for groups. Research this.
Probably you cannot have multivalue projects using the mapping engine.

Research needed on both cases.

JuanPTM commented 1 year ago

Source code for assertion process: https://github.com/openstack/keystone/blob/093b42a1abe30475ec913a04590f328d1c0ab2b7/keystone/federation/utils.py#L535

Till769 commented 7 months ago

Have you identified a solution or a feasible workaround for mapping multiple projects in Keystone?

reqa commented 7 months ago

While the proposal https://review.opendev.org/c/openstack/keystone/+/742235 is not yet accepted one can pre-provision projects and assign users to them. I think one can also use groups for that and the Keystone mapping engine supports the groups Keyword (plural!), look for the statement Groups can have multiple values. Each value must be separated by a ; Example: OIDC_GROUPS=developers;testers in the mapping combinations document.