OpenStack Identity (keystone)

Allow filtering variables passed to the RuleProcessor

Bug #1293436 reported by Marek Denis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Marek Denis
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

During SAML2 authentication the whole environment dictionary is passed to the RuleProcessor object (this dictionary will only contain basestring inheriting values after the bug #1290258 is fixed). It'd be much better to additionally let users filter what can be passed to the RuleProcessor by choosing only parameters with a certain prefix.
A new configuration parameter - ''assertion_prefix'' should be added, defaulting to an empty string, which would not impact users who don't want to use this filtering method.

Marek Denis (marek-denis)
Changed in keystone:
assignee: nobody → Marek Denis (marek-denis)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/80946

Changed in keystone:
status: New → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

Is the prefix configurable in mod_shib?

Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Marek Denis (marek-denis) wrote :

Yes, you can define your local names of assertion parameters in config file attribute-map.xml (tags 'id').

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/80946
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b304238c070f78e3ea3879768738a197cfe7c713
Submitter: Jenkins
Branch: master

commit b304238c070f78e3ea3879768738a197cfe7c713
Author: Marek Denis <email address hidden>
Date: Mon Mar 17 11:49:54 2014 +0100

    Filter SAML2 assertion parameters with certain prefix.

    Add ``assertion_prefix`` option that filters environment parameters
    that will be passed to the RuleProcessor object. Parameters' names
    must start with ``assertion_prefix`` value.
    If not configured, ``assertion_prefix`` defaults to an empty string,
    and all environment parameters are passed to the RuleProcessor.

    Change-Id: I2696bbadcfff9745d8edca6c896c13fda49d636e
    Closes-Bug: #1293436

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.