| *** dviroel|biab is now known as dviroel | 09:36 | |
| *** bbezak_ is now known as bbezak | 09:51 | |
| *** bbezak is now known as Guest1060 | 09:52 | |
| *** dviroel is now known as dviroel|doc-appt | 09:52 | |
| *** Guest1060 is now known as bbezak | 09:56 | |
| *** dviroel|doc-appt is now known as dviroel | 11:24 | |
| *** dasm|off is now known as dasm | 14:09 | |
| Muran | Currently fighting with openid integration. If I have token data that comes in the form of "realm_access": {"roles": ["role_1", "role_2"]}, how can I write a mapping rule to target that in my remote? Thinking something like: {"type": "OIDC-realm_access.roles", "any_one_of": ["role_1"]}. But the OICD-realm_access.roles doesn't seem to work for finding the variable. | 15:48 |
|---|---|---|
| *** dviroel is now known as dviroel|lunch | 15:54 | |
| knikolla[m] | Muran: I don't think the mapping engine is smart enough to look for a key inside a dictionary. | 16:04 |
| *** knikolla[m] is now known as knikolla | 16:06 | |
| Muran | @knikolla Ok thanks. Next issue. I switched how data is sent and made it as a single key holding an array instead of an entry inside a list. realm_access_roles ["role_1", "role_2"]. However it seems that when the data is received by keystone, it gets transitioned to an array holding just one value. It is received as realm_access_roles: ['role_1,role_2']. I.e. it is now an array with one entry which is a string that | 16:31 |
| Muran | holds the values separated by comma. Is there any specific reason why this is happening? | 16:31 |
| Muran | And another thing. I noticed that role membership doesn't seem to ever be revoked? If I have a rule that says "if role_1 give member access to project_1" it will happily create that role for the user to role_1. But if I remove "role_1" from the user, the member-role is not removed and the user can still login and access project_1. | 16:34 |
| knikolla | Muran: interesting, i'll have to take a look at the code. | 16:41 |
| knikolla | for the second point, yes. keystone doesn't keep track of previously granted roles to compare what you don't have anymore and remove it. | 16:41 |
| knikolla | for that use case we support expiring group memberships through the mapping. that persist for a set time and need to be renewed by reauthenticating. | 16:42 |
| *** dviroel|lunch is now known as dviroel | 16:59 | |
| *** mnaser__ is now known as mnaser | 17:05 | |
| Muran | @knikolla Ok thanks. I will check on group membership and see if that can be a fit for us in our current use case. | 17:21 |
| *** dviroel_ is now known as dviroel | 18:02 | |
| *** dviroel is now known as dviroel|afk | 20:12 | |
| *** dasm is now known as dasm|off | 22:28 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!