Allow assignment of domain specific role to federated users

Ater the patch "Keystone to honor the "domain" attribute mapping rules." It's not possible to assign domain specific roles to federated users when the user domain is specify on the claim. This patch aims to fix this, allowing to map non domain specific roles and domain specific, if the domain is the specify on the claim. Depends-on: https://review.opendev.org/#/c/739966/ related-Bug: #1887515 Change-Id: Ie3d7585cb9143686a93e4a19843698274475eaf6 Signed-off-by: Juan Pedro Torres Muñoz <juanp.95.torres@gmail.com>
2024-01-29 19:45:00 +01:00 · 2024-01-29 19:45:00 +01:00 · 04fc88a56c
parent 0608537f03
commit 04fc88a56c
1 changed files with 6 additions and 5 deletions
--- a/keystone/auth/plugins/mapped.py
+++ b/keystone/auth/plugins/mapped.py
@ -163,8 +163,8 @@ def handle_projects_from_mapping(shadow_projects, idp_domain_id,
 def handle_unscoped_token(auth_payload, resource_api, federation_api,
                          identity_api, assignment_api, role_api):

-    def validate_shadow_mapping(shadow_projects, existing_roles, idp_domain_id,
-                                idp_id):
+    def validate_shadow_mapping(shadow_projects, existing_roles,
+                                user_domain_id, idp_id):
        # Validate that the roles in the shadow mapping actually exist. If
        # they don't we should bail early before creating anything.
        for shadow_project in shadow_projects:
@ -184,11 +184,11 @@ def handle_unscoped_token(auth_payload, resource_api, federation_api,
                    raise exception.RoleNotFound(shadow_role['name'])
                role = existing_roles[shadow_role['name']]
                if (role['domain_id'] is not None and
-                        role['domain_id'] != idp_domain_id):
+                        role['domain_id'] != user_domain_id):
                    LOG.error(
                        'Role %(role)s is a domain-specific role and '
                        'cannot be assigned within %(domain)s.',
-                        {'role': shadow_role['name'], 'domain': idp_domain_id}
+                        {'role': shadow_role['name'], 'domain': user_domain_id}
                    )
                    raise exception.DomainSpecificRoleNotWithinIdPDomain(
                        role_name=shadow_role['name'],
@ -271,10 +271,11 @@ def handle_unscoped_token(auth_payload, resource_api, federation_api,
                # mapping and what it's saying to create. If there is something
                # wrong with how the mapping is, we should bail early before we
                # create anything.
+
                validate_shadow_mapping(
                    mapped_properties['projects'],
                    existing_roles,
-                    idp_domain_id,
+                    mapped_properties['user']['domain']['id'],
                    identity_provider
                )
                handle_projects_from_mapping(