)]}'
{"specs/keystone/ussuri/expiring-group-memberships.rst":[{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0acdea55d7e9b33813ba57e38847c1738a01d275","unresolved":false,"context_lines":[{"line_number":11,"context_line":"`bug #1809116 \u003chttps://bugs.launchpad.net/keystone/+bug/1809116\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Add federated users to the groups that they receive from the mapping rules."},{"line_number":14,"context_line":"This membership is only carried by the token and not persisted in the"},{"line_number":15,"context_line":"database. The membership expires, but can be renewed when the user"},{"line_number":16,"context_line":"authenticates with the same group."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_0a80d448","line":15,"range":{"start_line":14,"start_character":0,"end_line":15,"end_character":9},"updated":"2020-01-21 22:44:52.000000000","message":"I am not sure if we can easily audit this. Is this information available in CADF?","commit_id":"09f8b8b4b4b65e440af6c11fa940bdea83340370"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0acdea55d7e9b33813ba57e38847c1738a01d275","unresolved":false,"context_lines":[{"line_number":20,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Currently, federated users that receive their authorization as part of"},{"line_number":23,"context_line":"mapping to a group, cannot create trusts or application credentials. Creation"},{"line_number":24,"context_line":"will fail saying that the user doesn\u0027t have the role. That is because that"},{"line_number":25,"context_line":"role assignment is only valid for the duration of their token, and not"},{"line_number":26,"context_line":"permanently added to the user."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"We cannot make the group membership concrete, because that user would then"},{"line_number":29,"context_line":"have those permissions even if their state in the external identity provider"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_cc3415e2","line":26,"range":{"start_line":23,"start_character":68,"end_line":26,"end_character":30},"updated":"2020-01-21 22:44:52.000000000","message":"By design. :-)\n\nThings could get dicey if we allow *ephemeral* users to create *static things* such as trust, application credentials, etc in Keystone. If federation user no longer valid, how do we clean up stuff in Keystone. And how do we keep track of them?","commit_id":"09f8b8b4b4b65e440af6c11fa940bdea83340370"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0acdea55d7e9b33813ba57e38847c1738a01d275","unresolved":false,"context_lines":[{"line_number":25,"context_line":"role assignment is only valid for the duration of their token, and not"},{"line_number":26,"context_line":"permanently added to the user."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"We cannot make the group membership concrete, because that user would then"},{"line_number":29,"context_line":"have those permissions even if their state in the external identity provider"},{"line_number":30,"context_line":"changes."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"The problem has been reported and discussed as `bug 1589993"},{"line_number":33,"context_line":"\u003chttps://bugs.launchpad.net/keystone/+bug/1589993\u003e`_."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_2cfb6915","line":30,"range":{"start_line":28,"start_character":0,"end_line":30,"end_character":8},"updated":"2020-01-21 22:44:52.000000000","message":"There\u0027s true for LDAP users as well. But we shadow LDAP users locally, no?","commit_id":"09f8b8b4b4b65e440af6c11fa940bdea83340370"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0acdea55d7e9b33813ba57e38847c1738a01d275","unresolved":false,"context_lines":[{"line_number":40,"context_line":"------------"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"When a federated user authenticates through the mapping driver, the list of"},{"line_number":43,"context_line":"group IDs is added to the token. We will persist that group membership to the"},{"line_number":44,"context_line":"database."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Every time the user authenticates through federation, the list of groups is"},{"line_number":47,"context_line":"reevaluated, and already existing (expired or not) memberships are renewed"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_ec6791eb","line":44,"range":{"start_line":43,"start_character":33,"end_line":44,"end_character":9},"updated":"2020-01-21 22:44:52.000000000","message":"Persist or not persist? Line 14 says not persisted.","commit_id":"09f8b8b4b4b65e440af6c11fa940bdea83340370"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0acdea55d7e9b33813ba57e38847c1738a01d275","unresolved":false,"context_lines":[{"line_number":43,"context_line":"group IDs is added to the token. We will persist that group membership to the"},{"line_number":44,"context_line":"database."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Every time the user authenticates through federation, the list of groups is"},{"line_number":47,"context_line":"reevaluated, and already existing (expired or not) memberships are renewed"},{"line_number":48,"context_line":"and new ones are added."},{"line_number":49,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_6cb08142","line":46,"range":{"start_line":46,"start_character":20,"end_line":46,"end_character":33},"updated":"2020-01-21 22:44:52.000000000","message":"Authenticates or during token validation? For internal user token, we check group membership and role assignments dynamically during token validation.","commit_id":"09f8b8b4b4b65e440af6c11fa940bdea83340370"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0acdea55d7e9b33813ba57e38847c1738a01d275","unresolved":false,"context_lines":[{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Each group membership is individually expirable and renewable."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Expiring group memberships will only be used for user group memberships"},{"line_number":53,"context_line":"through the mapping driver and not through other drivers or backends."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"The user will be allowed to create application credentials. however they will"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_2c804949","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":27},"updated":"2020-01-21 22:44:52.000000000","message":"Is this only applicable to external users or all users?","commit_id":"09f8b8b4b4b65e440af6c11fa940bdea83340370"}]}