Details
-
Type: Monitor
-
Status: Closed
-
Priority: Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:
-
HD-Chapter:Security
-
HD-Enabler:KeyRock
Description
Created question in FIWARE Q/A platform on 08-05-2016 at 00:05
Please, ANSWER this question AT https://stackoverflow.com/questions/37094473/fiware-keyrock-scim-api-bug-check-allowed-to-get-and-assign-got-an-unexpecte
Question:
Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'
Description:
We want to use the FIWARE IdM, both Keystone and Horizon. Specifically during sign-up we want to
create a user
add that user to an organisation
authorise the user for an application
We have installed Keystone and Horizon using the latest KeyRock docker image on the docker hub (https://hub.docker.com/r/fiware/idm/).
Because the KeyRock web interface creates Cloud organisations, community users in regions like Spain etc i decided to try to use the SCIM API to create and authorize users:
Note: The SCIM API documents (http://docs.keyrock.apiary.io/#reference/scim-2.0) imply the SCIM calls are on the KeyRock server port, however they are available on the Keystone server port. The SCIM documentation would be clearer if it mentioned http://[keystone server]/v3/OS-SCIM/v2/Users/ instead of http://keyrock/v3/OS-SCIM/v2/Users/
Lets say we have an application (SCIM consumer) with application_id=app1. This application is created using the Horizon front-end, or using the
POST /v3/OS-OAUTH2/consumers
call. I am not aware of a difference between the two ways of creating an application although i have not tried the latter yet. This is a one-time operation, so we used the web interface to create the application and associated role.
so we have a role for the application = role1
and we create a user using SCIM
POST /v3/OS-SCIM/v2/Users/
that yields user_id=user1
When i try to authorize him for our application with
PUT /v3/OS-ROLES/users/user1/applications/app1/roles/role1
i get the following error:
{
"error":
}
The next step would be to obtain a resource owner token through KeyRock using
POST [KeyStone server]/oauth2/token
But that is moot because of the above error.
Logging into the KeyRock user interface with user1 gives the error:
"You are not authorized for any projects." I assume this is because user1 is not authorized for an organisation. user1 is invisible to other users or the admin in the KeyRock user interface so i cannot assign the necessary authorizations.
Any ideas anyone?
Which roles does user1 still need to have and how to assign them so that KeyRock is satisfied?
2017-05-22 15:13|CREATED monitor | # answers= 1, accepted answer= True