"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/federation/mapping_combinations.rst" between
keystone-17.0.0.tar.gz and keystone-18.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (latest release).

mapping_combinations.rst  (keystone-17.0.0):mapping_combinations.rst  (keystone-18.0.0)
skipping to change at line 278 skipping to change at line 278
.. NOTE:: .. NOTE::
The numbers in braces {} are indices, they map in order. For example:: The numbers in braces {} are indices, they map in order. For example::
- Mapping to user with the name matching the value in remote attribute F irstName - Mapping to user with the name matching the value in remote attribute F irstName
- Mapping to user with the name matching the value in remote attribute L astName - Mapping to user with the name matching the value in remote attribute L astName
- Mapping to user with the email matching value in remote attribute Emai l - Mapping to user with the email matching value in remote attribute Emai l
- Mapping to a group(s) with the name matching the value(s) in remote at tribute OIDC_GROUPS - Mapping to a group(s) with the name matching the value(s) in remote at tribute OIDC_GROUPS
.. NOTE::
If the user id and name are not specified in the mapping, the server tries t
o
directly map ``REMOTE_USER`` environment variable. If this variable is also
unavailable the server returns an HTTP 401 Unauthorized error.
Groups can have multiple values. Each value must be separated by a `;` Groups can have multiple values. Each value must be separated by a `;`
Example: OIDC_GROUPS=developers;testers Example: OIDC_GROUPS=developers;testers
other conditions other conditions
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
In ``<other_condition>`` shown below, please supply one of the following: In ``<other_condition>`` shown below, please supply one of the following:
``any_one_of``, or ``not_any_of``. ``any_one_of``, or ``not_any_of``.
.. code-block:: json .. code-block:: json
skipping to change at line 353 skipping to change at line 359
"type": "HTTP_OIDC_GROUPIDS", "type": "HTTP_OIDC_GROUPIDS",
"<other_condition>": [ "<other_condition>": [
"me@example.com" "me@example.com"
] ]
} }
] ]
} }
] ]
} }
.. NOTE:: In the above example, a whitelist can be used to only map the user into a few of
the groups in their ``HTTP_OIDC_GROUPIDS`` remote attribute:
If the user id and name are not specified in the mapping, the server tries t .. code-block:: json
o
directly map ``REMOTE_USER`` environment variable. If this variable is also {
unavailable the server returns an HTTP 401 Unauthorized error. "type": "HTTP_OIDC_GROUPIDS",
"whitelist": [
"Developers",
"OpsTeam"
]
}
A blacklist can map the user into all groups except those matched:
Group ids and names can be provided in the local section: .. code-block:: json
{
"type": "HTTP_OIDC_GROUPIDS",
"blacklist": [
"Finance"
]
}
Regular expressions can be used in any condition for more flexible matches:
.. code-block:: json
{
"type": "HTTP_OIDC_GROUPIDS",
"whitelist": [
".*Team$"
]
}
When mapping into groups, either ids or names can be provided in the local secti
on:
.. code-block:: json .. code-block:: json
{ {
"local": [ "local": [
{ {
"group": { "group": {
"id":"0cd5e9" "id":"0cd5e9"
} }
} }
skipping to change at line 503 skipping to change at line 538
{ {
"rules": [ "rules": [
{ {
"local": [ "local": [
{ {
"user": { "user": {
"name": "{0}" "name": "{0}"
}, },
"group": { "group": {
"id": "0cd5e9" "name": "{1}",
"domain": {
"id": "abc1234"
}
} }
}, },
], ],
"remote": [ "remote": [
{ {
"type": "UserName" "type": "UserName"
}, },
{ {
"type": "HTTP_OIDC_GROUPIDS", "type": "HTTP_OIDC_GROUPIDS",
"any_one_of": [ "any_one_of": [
".*@yeah.com$" ".*@yeah.com$"
] ]
"regex": true "regex": true
} },
{
"type": "HTTP_OIDC_GROUPIDS",
"whitelist": [
"Project.*$"
],
"regex": true
}
] ]
} }
] ]
} }
This allows any user with a claim containing a key with any value in This allows any user with a claim containing a key with any value in
``HTTP_OIDC_GROUPIDS`` to be mapped to group with id ``0cd5e9``. ``HTTP_OIDC_GROUPIDS`` to be mapped to group with id ``0cd5e9``. Additionally,
for every value in the ``HTTP_OIDC_GROUPIDS`` claim matching the string
``Project.*``, the user will be assigned to the project with that name.
Condition Combinations Condition Combinations
---------------------- ----------------------
Combinations of mappings conditions can also be done. Combinations of mappings conditions can also be done.
``empty``, ``any_one_of``, and ``not_any_of`` can all be used in the same rule, ``empty``, ``any_one_of``, and ``not_any_of`` can all be used in the same rule,
but cannot be repeated within the same condition. ``any_one_of`` and but cannot be repeated within the same condition. ``any_one_of`` and
``not_any_of`` are mutually exclusive within a condition's scope. So are ``not_any_of`` are mutually exclusive within a condition's scope. So are
``whitelist`` and ``blacklist``. ``whitelist`` and ``blacklist``.
 End of changes. 7 change blocks. 
9 lines changed or deleted 57 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)