)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"9f853076470ebd9c20d384106eaad3b91a9aa371","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Allow assignment of domain specific role to federated users"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Ater the patch \"Keystone to honor the \"domain\" attribute mapping rules.\""},{"line_number":10,"context_line":"It\u0027s not possible to assign domain specific roles to federated users"},{"line_number":11,"context_line":"when the user domain is specify on the claim."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"d6e9c754_5c168f61","line":9,"updated":"2024-01-29 21:20:08.000000000","message":"Even before that patch, you could not do what you are claiming","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":36300,"name":"Juan Pedro Torres Muñoz","display_name":"JuanPTM","email":"juan.torres-munoz@univention.de","username":"jtorres95"},"change_message_id":"a5de371f55dfad9768ef789bd23b713ded357242","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Allow assignment of domain specific role to federated users"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Ater the patch \"Keystone to honor the \"domain\" attribute mapping rules.\""},{"line_number":10,"context_line":"It\u0027s not possible to assign domain specific roles to federated users"},{"line_number":11,"context_line":"when the user domain is specify on the claim."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"da6f038b_35328da1","line":9,"in_reply_to":"d6e9c754_5c168f61","updated":"2024-01-30 08:57:37.000000000","message":"Yes, you could specify domain specific roles as long as they were in the same domain as the IdP.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"01f9cabb3a1394c54d3efd9d0199b31feac23133","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Allow assignment of domain specific role to federated users"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Ater the patch \"Keystone to honor the \"domain\" attribute mapping rules.\""},{"line_number":10,"context_line":"It\u0027s not possible to assign domain specific roles to federated users"},{"line_number":11,"context_line":"when the user domain is specify on the claim."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"791d9d4b_e66df814","line":9,"in_reply_to":"da6f038b_35328da1","updated":"2024-01-30 15:15:34.000000000","message":"I see what you mean.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"9f853076470ebd9c20d384106eaad3b91a9aa371","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Allow assignment of domain specific role to federated users"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Ater the patch \"Keystone to honor the \"domain\" attribute mapping rules.\""},{"line_number":10,"context_line":"It\u0027s not possible to assign domain specific roles to federated users"},{"line_number":11,"context_line":"when the user domain is specify on the claim."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This patch aims to fix this, allowing to map non domain specific roles"},{"line_number":14,"context_line":"and domain specific, if the domain is the specify on the claim."},{"line_number":15,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"f8172984_dbc41c9a","line":12,"range":{"start_line":10,"start_character":0,"end_line":12,"end_character":1},"updated":"2024-01-29 21:20:08.000000000","message":"What about creating a new schema, let\u0027s say 2.1 to enable/disable this kind of feature?\n\nAt the end of the day, that is why we created such feature.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"cef5ef03b8e35f508d28d4796d84034b42b02564","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Allow assignment of domain specific role to federated users"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Ater the patch \"Keystone to honor the \"domain\" attribute mapping rules.\""},{"line_number":10,"context_line":"It\u0027s not possible to assign domain specific roles to federated users"},{"line_number":11,"context_line":"when the user domain is specify on the claim."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"This patch aims to fix this, allowing to map non domain specific roles"},{"line_number":14,"context_line":"and domain specific, if the domain is the specify on the claim."},{"line_number":15,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"9691370b_0fe911a6","line":12,"range":{"start_line":10,"start_character":0,"end_line":12,"end_character":1},"in_reply_to":"f8172984_dbc41c9a","updated":"2024-02-05 19:07:11.000000000","message":"Done","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":30695,"name":"Pedro Henrique Pereira Martins","email":"phpm13@gmail.com","username":"pedrohpmartins"},"change_message_id":"3e56f19a7f35ad169b442c910ad11ea518062061","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"546ee47d_f781bc1f","updated":"2024-02-05 20:05:25.000000000","message":"Hi Juan, thanks for this patch, It looks good to me.","commit_id":"04fc88a56ccf0cbdbf3f48e2fae8052dd61a82d8"},{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"0892303291fe4a6567a59f0482e78e2f6e0813cb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"2509c435_b839d5d8","updated":"2024-02-05 19:07:01.000000000","message":"I think the code is fine now.","commit_id":"04fc88a56ccf0cbdbf3f48e2fae8052dd61a82d8"}],"keystone/auth/plugins/mapped.py":[{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"9f853076470ebd9c20d384106eaad3b91a9aa371","unresolved":true,"context_lines":[{"line_number":183,"context_line":"                    # only have a name so we\u0027ll pass that instead."},{"line_number":184,"context_line":"                    raise exception.RoleNotFound(shadow_role[\u0027name\u0027])"},{"line_number":185,"context_line":"                role \u003d existing_roles[shadow_role[\u0027name\u0027]]"},{"line_number":186,"context_line":"                if (role[\u0027domain_id\u0027] is not None and"},{"line_number":187,"context_line":"                        role[\u0027domain_id\u0027] !\u003d user_domain_id):"},{"line_number":188,"context_line":"                    LOG.error("},{"line_number":189,"context_line":"                        \u0027Role %(role)s is a domain-specific role and \u0027"},{"line_number":190,"context_line":"                        \u0027cannot be assigned within %(domain)s.\u0027,"},{"line_number":191,"context_line":"                        {\u0027role\u0027: shadow_role[\u0027name\u0027], \u0027domain\u0027: user_domain_id}"},{"line_number":192,"context_line":"                    )"},{"line_number":193,"context_line":"                    raise exception.DomainSpecificRoleNotWithinIdPDomain("},{"line_number":194,"context_line":"                        role_name\u003dshadow_role[\u0027name\u0027],"},{"line_number":195,"context_line":"                        identity_provider\u003didp_id"}],"source_content_type":"text/x-python","patch_set":1,"id":"eb7e1285_0decc1dc","line":192,"range":{"start_line":186,"start_character":13,"end_line":192,"end_character":21},"updated":"2024-01-29 21:20:08.000000000","message":"You could check if the rule processor is, let\u0027s say 2.1, and then, you check if it is different from the user_domain or IdP_domain, and then you throw the error.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"0892303291fe4a6567a59f0482e78e2f6e0813cb","unresolved":false,"context_lines":[{"line_number":183,"context_line":"                    # only have a name so we\u0027ll pass that instead."},{"line_number":184,"context_line":"                    raise exception.RoleNotFound(shadow_role[\u0027name\u0027])"},{"line_number":185,"context_line":"                role \u003d existing_roles[shadow_role[\u0027name\u0027]]"},{"line_number":186,"context_line":"                if (role[\u0027domain_id\u0027] is not None and"},{"line_number":187,"context_line":"                        role[\u0027domain_id\u0027] !\u003d user_domain_id):"},{"line_number":188,"context_line":"                    LOG.error("},{"line_number":189,"context_line":"                        \u0027Role %(role)s is a domain-specific role and \u0027"},{"line_number":190,"context_line":"                        \u0027cannot be assigned within %(domain)s.\u0027,"},{"line_number":191,"context_line":"                        {\u0027role\u0027: shadow_role[\u0027name\u0027], \u0027domain\u0027: user_domain_id}"},{"line_number":192,"context_line":"                    )"},{"line_number":193,"context_line":"                    raise exception.DomainSpecificRoleNotWithinIdPDomain("},{"line_number":194,"context_line":"                        role_name\u003dshadow_role[\u0027name\u0027],"},{"line_number":195,"context_line":"                        identity_provider\u003didp_id"}],"source_content_type":"text/x-python","patch_set":1,"id":"e34ccb4f_ed1dcd2d","line":192,"range":{"start_line":186,"start_character":13,"end_line":192,"end_character":21},"in_reply_to":"eb7e1285_0decc1dc","updated":"2024-02-05 19:07:01.000000000","message":"Never mind, after thinking about this one, and with the adjusts that you did, I think it is fine as is.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":28356,"name":"Rafael Weingartner","email":"rafael@apache.org","username":"rafaelweingartner"},"change_message_id":"9f853076470ebd9c20d384106eaad3b91a9aa371","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                # mapping and what it\u0027s saying to create. If there is something"},{"line_number":272,"context_line":"                # wrong with how the mapping is, we should bail early before we"},{"line_number":273,"context_line":"                # create anything."},{"line_number":274,"context_line":"                user_domain \u003d mapped_properties[\u0027user\u0027].get(\u0027domain\u0027).get(\u0027id\u0027) "},{"line_number":275,"context_line":"                              if mapped_properties[\u0027user\u0027].get(\u0027domain\u0027) else"},{"line_number":276,"context_line":"                              idp_domain_id"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"                validate_shadow_mapping("}],"source_content_type":"text/x-python","patch_set":1,"id":"a08f0b50_0493d6fd","line":275,"range":{"start_line":274,"start_character":7,"end_line":275,"end_character":77},"updated":"2024-01-29 21:20:08.000000000","message":"why are you doing this processing here? It does not seem to be related to what you want to achieve. This kind of adjustments is done in the rule processor already.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":36300,"name":"Juan Pedro Torres Muñoz","display_name":"JuanPTM","email":"juan.torres-munoz@univention.de","username":"jtorres95"},"change_message_id":"370204200b1c8ea7ac517f45d094c5c9e032ac9d","unresolved":false,"context_lines":[{"line_number":271,"context_line":"                # mapping and what it\u0027s saying to create. If there is something"},{"line_number":272,"context_line":"                # wrong with how the mapping is, we should bail early before we"},{"line_number":273,"context_line":"                # create anything."},{"line_number":274,"context_line":"                user_domain \u003d mapped_properties[\u0027user\u0027].get(\u0027domain\u0027).get(\u0027id\u0027) "},{"line_number":275,"context_line":"                              if mapped_properties[\u0027user\u0027].get(\u0027domain\u0027) else"},{"line_number":276,"context_line":"                              idp_domain_id"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"                validate_shadow_mapping("}],"source_content_type":"text/x-python","patch_set":1,"id":"d8a2e929_c4ebb498","line":275,"range":{"start_line":274,"start_character":7,"end_line":275,"end_character":77},"in_reply_to":"6e1c1841_2772653e","updated":"2024-01-30 14:44:53.000000000","message":"After double checking, I realize the processing is not needed there, so I delete it.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"},{"author":{"_account_id":36300,"name":"Juan Pedro Torres Muñoz","display_name":"JuanPTM","email":"juan.torres-munoz@univention.de","username":"jtorres95"},"change_message_id":"ec2946b87592241195ebd980a2d51789fef0757e","unresolved":true,"context_lines":[{"line_number":271,"context_line":"                # mapping and what it\u0027s saying to create. If there is something"},{"line_number":272,"context_line":"                # wrong with how the mapping is, we should bail early before we"},{"line_number":273,"context_line":"                # create anything."},{"line_number":274,"context_line":"                user_domain \u003d mapped_properties[\u0027user\u0027].get(\u0027domain\u0027).get(\u0027id\u0027) "},{"line_number":275,"context_line":"                              if mapped_properties[\u0027user\u0027].get(\u0027domain\u0027) else"},{"line_number":276,"context_line":"                              idp_domain_id"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"                validate_shadow_mapping("}],"source_content_type":"text/x-python","patch_set":1,"id":"6e1c1841_2772653e","line":275,"range":{"start_line":274,"start_character":7,"end_line":275,"end_character":77},"in_reply_to":"a08f0b50_0493d6fd","updated":"2024-01-30 14:04:44.000000000","message":"I\u0027m doing the processing here because we need to know to which domain is the shadow user assigned before calling the `validate_shadow_mapping`. \n\nAfter adding this the domain_id that will be pass to the `validate_shadow_mapping` function will be the specify `domain` for the user in case it\u0027s on the claim or the `idp_domain_id` as it was before. \n\nIf that\u0027s already done on the rule processor, maybe using `mapped_properties[\u0027user\u0027].get(\u0027domain\u0027).get(\u0027id\u0027)` as a value on the `validate_shadow_mapping` can be enough, making all the processing here useless.","commit_id":"9cdee6127389f7f4a01ec52a2b8c9413bf8e9863"}]}