Keystone identity mapping to support project definition as a JSON

Registered by Rafael Weingartner

=====================================================
Keystone identity mapping to support project definition as a JSON
=====================================================
This blueprint adds support for project definition as a JSON
in Keystone identity federation attribute mapping schema

This spec depends on https://review.opendev.org/#/c/748042/, which is the
proposal that enhances the identity mapping schema management. Therefore,
we first need to get that reviewed and merged.

Problem Description
===================
Currently, the project assignment via the federated identity mapping is rather
static. This happens because of the find/replace mechanism that we have in
place there. Therefore, if the IdP provider generates an attribute that
contains a JSON with project definitions, we are not able to handle it
in Keystone.

Proposed Change
===============
This PR introduces a new property in the federated identity mapping schema
called `projects_json`. In the schema, this property will accept a JSON
string, that defines all of the projects and their specific roles that the
user must receive when login-in to the OpenStack platform. Moreover, when
using this extension, roles (assigned to projects) are added and removed
on the fly.

The extension is quite straight forward. We created a new ``schema_version``
(1.2). This new version enables the handling of `project_json` in the
attribute mapping.

Furthermore, we added code to handle the addition of extra roles for projects
and removal of roles that are present in OpenStack, but are not in the IdP
data. This is a mechanism to make the state of the OpenStack federated user
consistent with the Identity provider user attributes.

Attribute mapping schema
------------------------
Adding the `project_json` attribute:

.. code-block:: python
    IDP_ATTRIBUTE_MAPPING_SCHEMA_1_2 = copy.deepcopy(
    IDP_ATTRIBUTE_MAPPING_SCHEMA_1_1)

    IDP_ATTRIBUTE_MAPPING_SCHEMA_1_2['properties']['rules']['items']['properties'][
      'local']['items']['properties']['projects_json'] = {"type": "string"}

By adding ``projects_json`` as a ``string``, we enable operators to use
attributes in the IdP, that are a Json Strings which define the projects where
the users must be placed in. Moreover, This JSON is then validated against the
project definition. The new option will be handled in version ``1.2`` of the
attribute mapping schema.

Database table changes
----------------------
None

API impacts
-----------
None

Assignee(s)
-----------

Primary assignees:
 - Rafael <email address hidden>

Other contributors:

Work Items
----------

1) Implement proposed changes in Keystone [1]_

 - Create a new mapping schema

 - Create new processors for the proposed changes

 - Implement validations and unit tests

 - Update documentation

Dependencies
============

None

References
==========

.. [1] https://review.opendev.org/#/c/742235

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Rafael Weingartner
Direction:
Needs approval
Assignee:
Rafael Weingartner
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.