Unable to show user's details in OpenStack: GET /v3/users/{user_id} #2
Comments
|
Potential solution: EGI-Federation/documentation#628 |
|
Need to enforce configuration at sites via GGUS ticket. I propose the following text: Subject: Enable VO user auditing in OpenStack Dear site admin, In order to provide have a better control of the resources created by EGI users at your site we propose the use of an additional mapping configuration that allows selected EGI members belonging to the cloud.egi.eu VO and having an auditor role to have reader privileges for the OpenStack domain that supports EGI users. This mapping simplifies the process of releasing resources whenever they are no longer used for piloting VOs without the need of site administrators being involved. The documentation is available at https://docs.egi.eu/providers/cloud-compute/openstack/aai/#keystone-federation-support and summarised below:
# Support for https://operations-portal.egi.eu/vo/view/voname/cloud.egi.eu
$ openstack group create --domain egi.eu egi-staff
$ openstack role add --domain egi.eu --group egi-staff reader
{
"local": [
{
"user": {
"name": "{0}",
"email": "{1}"
},
"group": {
"id": "_egi-staff_group_ID_"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_EMAIL"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://aai.egi.eu/auth/realms/egi"
]
},
{
"type": "OIDC-eduperson_entitlement",
"regex": true,
"any_one_of": [
"^urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu$"
]
}
]
}
$ openstack mapping set --rules mapping.json egi-mappingIf there are issues preventing this configuration, please let us know so we can find the best way to support you Thanks, @CatalinCondurache, what do you think? |
Short Description of the issue
Keystone policy in the EGI cloud providers does not allow users to perform the requested action: 'identity:get_user'
Summary of proposed changes
The text was updated successfully, but these errors were encountered: