From d82be8f5637960295f5190adb286f0c62d176e9b Mon Sep 17 00:00:00 2001 From: kwss Date: Mon, 19 May 2014 12:14:33 +0100 Subject: [PATCH] Trusted Attributes Policy for External Identity Providers Allows fine grained control over which attributes (both types and values) Keystone will accept as trustworthy from an external identity provider. All attributes (types and/or values) that are not trusted will be discarded by federated Keystone. implements: bp trusted-attribute-issuing-policy Co-Authored-By: David Chadwick Change-Id: Ib17b19da9fd6a0b88b9d3336d8f663128c8b9cde --- .../identity-api-v3-os-federation-ext.md | 160 +++++++++++++++++- 1 file changed, 155 insertions(+), 5 deletions(-) diff --git a/v3/src/markdown/identity-api-v3-os-federation-ext.md b/v3/src/markdown/identity-api-v3-os-federation-ext.md index 5c023306..480a5339 100644 --- a/v3/src/markdown/identity-api-v3-os-federation-ext.md +++ b/v3/src/markdown/identity-api-v3-os-federation-ext.md @@ -18,6 +18,8 @@ Definitions may not align 1:1 with the Identity API concepts. To help overcome such mismatches, a mapping can be done either on the sending side (third party identity provider), on the consuming side (Identity API service), or both. +- *Trusted Attribute*: An attribute trusted to be issued by a Trusted Identity + Provider. API Resources ------------- @@ -136,6 +138,23 @@ Required attributes:: expression](http://docs.python.org/2/library/re.html) search against the remote attribute `type`. +### Trusted Attribute: `/OS-FEDERATION/identity_providers/{idp_id}/trusted_attributes` + +A trusted attributes policy defines which attributes an Identity provider is +trusted to issue. When a policy is created for a Identity provider, the +attributes received in assertions from this provider are automatically filtered. +In order to maintain backwards compatibility, all attributes are accepted from +this provider if no policy is defined. If the policy is empty, no attributes are +accepted. + +Attributes: + + - `attributes` (list) + + A list of trusted attributes. Each attribute is specified as a + type and an optional set of values. A list of zero values denotes that + any value should be accepted. + Identity Provider API --------------------- @@ -161,7 +180,8 @@ Response: "id": "ACME", "links": { "protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols", - "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME" + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME", + "trusted_attributes": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/trusted_attributes" } } } @@ -180,7 +200,8 @@ Response: "id": "ACME", "links": { "protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols", - "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME" + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME", + "trusted_attributes": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/trusted_attributes" } }, { @@ -189,7 +210,8 @@ Response: "id": "ACME-contractors", "links": { "protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME-contractors/protocols", - "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME-contractors" + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME-contractors", + "trusted_attributes": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/trusted_attributes" } } ], @@ -213,7 +235,8 @@ Response: "id": "ACME", "links": { "protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols", - "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME" + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME", + "trusted_attributes": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/trusted_attributes" } } } @@ -248,7 +271,8 @@ Response: "id": "ACME", "links": { "protocols": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/protocols", - "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME" + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME", + "trusted_attributes": "http://identity:35357/v3/OS-FEDERATION/identity_providers/ACME/trusted_attributes" } } } @@ -560,6 +584,132 @@ Response: Status: 204 No Content +Trusted Attribute API +--------------------- + +### Get an Identity Provider's set of trusted attributes: `GET /OS-FEDERATION/identity_providers/{idp_id}/trusted_attributes` + +Response: + + Status: 200 OK + + { + "trusted_attributes": [ + { + "type": "email", + "values": [] + }, + { + "type": "orgPersonType", + "values": ["staff", "contractor", "guest"] + }, + { + "type": "uid", + "values": [] + } + ], + "links": { + "identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/7e23a6", + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/7e23a6/trusted_attributes" + } + } + +### Create an Identity Provider's Trusted Attributes Policy: `PUT /OS-FEDERATION/identity_providers/{idp_id}/trusted_attributes` + +Request: + { + "trusted_attributes": [ + { + "type": "email", + "values": [] + }, + { + "type": "orgPersonType", + "values": ["staff", "contractor", "guest"] + }, + { + "type": "uid", + "values": [] + } + ] + } + +Response: + + Status: 201 Created + + { + "trusted_attributes": [ + { + "type": "email", + "values": [] + }, + { + "type": "orgPersonType", + "values": ["staff", "contractor", "guest"] + }, + { + "type": "uid", + "values": [] + } + ], + "links": { + "identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/7e23a6", + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/7e23a6/trusted_attributes" + } + } + +### Update an Identity Provider's Trusted Attributes Policy: `PATCH /OS-FEDERATION/identity_providers/{idp_id}/trusted_attributes` + +Request: + { + "trusted_attributes": [ + { + "type": "email", + "values": [] + }, + { + "type": "orgPersonType", + "values": ["contractor", "guest"] + }, + { + "type": "uid", + "values": [] + } + ] + } + +Response: + + Status: 200 OK + + { + "trusted_attributes": [ + { + "type": "email", + "values": [] + }, + { + "type": "orgPersonType", + "values": ["contractor", "guest"] + }, + { + "type": "uid", + "values": [] + } + ], + "links": { + "identity_provider": "http://identity:35357/v3/OS-FEDERATION/identity_providers/7e23a6", + "self": "http://identity:35357/v3/OS-FEDERATION/identity_providers/7e23a6/trusted_attributes" + } + } + +### Delete a trusted attributes policy for an Identity provider: `DELETE /OS-FEDERATION/identity_providers/{idp_id}/trusted_attributes` + +Response: + + Status: 204 Deleted + Listing projects and domains ----------------------------