"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/federation/mapping_combinations.rst" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

mapping_combinations.rst  (keystone-16.0.1):mapping_combinations.rst  (keystone-17.0.0)
skipping to change at line 889 skipping to change at line 889
keystone-to-keystone federation also utilizes mappings, but has some keystone-to-keystone federation also utilizes mappings, but has some
differences. differences.
An attribute file (e.g. ``/etc/shibboleth/attribute-map.xml`` in a Shibboleth An attribute file (e.g. ``/etc/shibboleth/attribute-map.xml`` in a Shibboleth
implementation) is used to add attributes to the mapping `context`. Attributes implementation) is used to add attributes to the mapping `context`. Attributes
look as follows: look as follows:
.. code-block:: xml .. code-block:: xml
<!-- example from a K2k Shibboleth implementation --> <!-- example 1 from a K2k Shibboleth implementation -->
<Attribute name="openstack_user" id="openstack_user"/> <Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/> <Attribute name="openstack_user_domain" id="openstack_user_domain"/>
The service provider must contain a mapping as shown below. The service provider must contain a mapping as shown below.
``openstack_user``, and ``openstack_user_domain`` match to the attribute ``openstack_user``, and ``openstack_user_domain`` match to the attribute
names we have in the Identity Provider. It will map any user with the name names we have in the Identity Provider. It will map any user with the name
``user1`` or ``admin`` in the ``openstack_user`` attribute and ``user1`` or ``admin`` in the ``openstack_user`` attribute and
``openstack_domain`` attribute ``default`` to a group with id ``abc1234``. ``openstack_domain`` attribute ``default`` to a group with id ``abc1234``.
.. code-block:: json .. code-block:: json
skipping to change at line 930 skipping to change at line 930
"type":"openstack_user_domain", "type":"openstack_user_domain",
"any_one_of": [ "any_one_of": [
"Default" "Default"
] ]
} }
] ]
} }
] ]
} }
A keystone user's groups can also be mapped to groups in the service provider.
For example, with the following attributes declared in Shibboleth's attributes f
ile:
.. code-block:: xml
<!-- example 2 from a K2k Shibboleth implementation -->
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_groups" id="openstack_groups"/>
Then the following mapping can be used to map the user's group membership from t
he keystone
IdP to groups in the keystone SP:
.. code-block:: json
{
"rules": [
{
"local":
[
{
"user":
{
"name": "{0}"
}
},
{
"groups": "{1}"
}
],
"remote":
[
{
"type": "openstack_user"
},
{
"type": "openstack_groups"
}
]
}
]
}
``openstack_user``, and ``openstack_groups`` will be matched by service
provider to the attribute names we have in the Identity Provider. It will
take the ``openstack_user`` attribute and finds in the assertion then inserts
it directly in the mapping. The identity provider will set the value of
``openstack_groups`` by group name and domain name to which the user belongs
in the Idp. Suppose the user belongs to 'group1' in domain 'Default' in the IdP
then it will map to a group with the same name and same domain's name in the SP.
The possible attributes that can be used in a mapping are `openstack_user`, The possible attributes that can be used in a mapping are `openstack_user`,
`openstack_user_domain`, `openstack_roles`, `openstack_project`, and `openstack_user_domain`, `openstack_roles`, `openstack_project`,
`openstack_project_domain`. `openstack_project_domain` and `openstack_groups`.
 End of changes. 3 change blocks. 
1 lines changed or deleted 53 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)