[RFE] Allow keystone to query sub-group membership for group role-assignment
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Low
|
Unassigned |
Bug Description
A common request we see from corporate environments when providing Active Directory/LDAP integration into keystone is the ability for role assignments to apply for users who are members of a sub-group of the role-assigned group.
For instance, if you have the following groups
cn=Project1_
member: user1
member: user2
memberGroup: cn=Project1_
cn=Project1_
member: adminuser
And you defined Project1 in openstack and then defined group Project1_Users to be assigned "Member" role in Project1, only user1 and user2 would be granted that role, even though adminuser is technically a member of that group from an Active Directory perspective. You would have to also assign Project1_Admins to the "Member" role for Project1 for adminuser to be granted Member rights.
The keystone code does not handle subgroup membership for group-role-
In ActiveDirectory, there is a memberOf OID subquery (memberOf:
It would be very useful to either be able to identify a way to query group membership based on this OID query or to define a "group_
tags: | added: cpe-onsite |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Low |
tags: | added: ldap |