Details
-
Type: Monitor
-
Status: Closed
-
Priority: Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Created question in FIWARE Q/A platform on 08-05-2016 at 00:05
Please, ANSWER this question AT http://stackoverflow.com/questions/37094473/fiware-keyrock-scim-api-bug-check-allowed-to-get-and-assign-got-an-unexpecte
Question:
Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'
Description:
We want to use the FIWARE IdM, both Keystone and Horizon. Specifically during sign-up we want to
create a user
add that user to an organisation
authorise the user for an application
We have installed Keystone and Horizon using the latest KeyRock docker image on the docker hub (https://hub.docker.com/r/fiware/idm/).
Because the KeyRock web interface creates Cloud organisations, community users in regions like Spain etc i decided to try to use the SCIM API to create and authorize users:
Note: The SCIM API documents (http://docs.keyrock.apiary.io/#reference/scim-2.0) imply the SCIM calls are on the KeyRock server port, however they are available on the Keystone server port. The SCIM documentation would be clearer if it mentioned http://[keystone server]/v3/OS-SCIM/v2/Users/ instead of http://keyrock/v3/OS-SCIM/v2/Users/
Lets say we have an application (SCIM consumer) with application_id=app1. This application is created using the Horizon front-end, or using the
POST /v3/OS-OAUTH2/consumers
call. I am not aware of a difference between the two ways of creating an application although i have not tried the latter yet. This is a one-time operation, so we used the web interface to create the application and associated role.
so we have a role for the application = role1
and we create a user using SCIM
POST /v3/OS-SCIM/v2/Users/
that yields user_id=user1
When i try to authorize him for our application with
PUT /v3/OS-ROLES/users/user1/applications/app1/roles/role1
i get the following error:
{
"error":
}
The next step would be to obtain a resource owner token through KeyRock using
POST [KeyStone server]/oauth2/token
But that is moot because of the above error.
Logging into the KeyRock user interface with user1 gives the error:
"You are not authorized for any projects." I assume this is because user1 is not authorized for an organisation. user1 is invisible to other users or the admin in the KeyRock user interface so i cannot assign the necessary authorizations.
Any ideas anyone?
Which roles does user1 still need to have and how to assign them so that KeyRock is satisfied?
Activity
Fix Version/s | 2021 [ 12600 ] |
Summary | [fiware-stackoverflow] Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName' | FIWARE.Question.Tech.Security.IDM-KeyRock.Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName' |
HD-Node | Unknown [ 10852 ] |
Resolution | Done [ 10000 ] | |
Status | Answered [ 10104 ] | Closed [ 6 ] |
Status | In Progress [ 3 ] | Answered [ 10104 ] |
Status | Open [ 1 ] | In Progress [ 3 ] |
Assignee | Alvaro Alonso [ aalonsog ] |
HD-Chapter | Unknown [ 10845 ] | Security [ 10841 ] |
HD-Enabler | Unknown [ 10910 ] | KeyRock [ 10889 ] |
HD-Chapter | Unknown [ 10845 ] | |
HD-Node | Unknown [ 10852 ] | |
HD-Enabler | Unknown [ 10910 ] |
Field | Original Value | New Value |
---|---|---|
Component/s | FIWARE-TECH-HELP [ 10278 ] |