diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py index 339b6af0ff..5ac8b6469a 100644 --- a/keystone/identity/shadow_backends/sql.py +++ b/keystone/identity/shadow_backends/sql.py @@ -13,11 +13,11 @@ import copy import datetime import sqlalchemy -import uuid from oslo_config import cfg from oslo_db import api as oslo_db_api +from keystone.common import provider_api from keystone.common import sql from keystone import exception from keystone.identity.backends import base as identity_base @@ -26,13 +26,21 @@ from keystone.identity.shadow_backends import base CONF = cfg.CONF +PROVIDERS = provider_api.ProviderAPIs class ShadowUsers(base.ShadowUsersDriverBase): @sql.handle_conflicts(conflict_type='federated_user') def create_federated_user(self, domain_id, federated_dict, email=None): + + local_entity = {'domain_id': domain_id, + 'local_id': federated_dict['unique_id'], + 'entity_type': 'user'} + + public_id = PROVIDERS.id_generator_api.generate_public_ID(local_entity) + user = { - 'id': uuid.uuid4().hex, + 'id': public_id, 'domain_id': domain_id, 'enabled': True } diff --git a/releasenotes/notes/bug-1641639-b9accc163e61ca15.yaml b/releasenotes/notes/bug-1641639-b9accc163e61ca15.yaml new file mode 100644 index 0000000000..08d358f58e --- /dev/null +++ b/releasenotes/notes/bug-1641639-b9accc163e61ca15.yaml @@ -0,0 +1,11 @@ +--- +fixes: + - | + A Federated user gets an entry in the shadow-users table. This + entry has a unique ID. It was generated using a UUID. This fix + changes to reuse the mechanism for LDAP, where the ID is generated + from the domain ID + the local id of the user (an attribute that + uniquely ids the user from the IdP). This generator is specified + by the configuration file. Now Both LDAP and Federated Ids are + generated the same way. It also means that Federated IDs can be + kept in sync between two independtent Keystone servers.