Fiware KeyRock SCIM API错误:_check_allowed_to_get_and_assign()获得了意外的关键字参数'userName'
[英]Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'
问题描述
We want to use the FIWARE IdM, both Keystone and Horizon. 
我们想要使用Keystone和Horizon的FIWARE IDM。 Specifically during sign-up we want to 特别是在注册过程中,我们希望
- create a user 创建一个用户
- add that user to an organisation 将该用户添加到组织中
- authorise the user for an application 授权用户申请
We have installed Keystone and Horizon using the latest KeyRock docker image on the docker hub ( https://hub.docker.com/r/fiware/idm/ ). 我们已经在docker hub( https://hub.docker.com/r/fiware/idm/ )上使用最新的KeyRock docker映像安装了Keystone和Horizon。
Because the KeyRock web interface creates Cloud organisations, community users in regions like Spain etc i decided to try to use the SCIM API to create and authorize users: 由于KeyRock Web界面创建了Cloud组织,因此西班牙等地区的社区用户决定尝试使用SCIM API创建和授权用户:
Note : The SCIM API documents ( http://docs.keyrock.apiary.io/#reference/scim-2.0 ) imply the SCIM calls are on the KeyRock server port, however they are available on the Keystone server port. 注意 :SCIM API文档( http://docs.keyrock.apiary.io/#reference/scim-2.0 )暗示SCIM调用在KeyRock服务器端口上,但是在Keystone服务器端口上可用。 The SCIM documentation would be clearer if it mentioned http://[keystone server]/v3/OS-SCIM/v2/Users/ instead of http://keyrock/v3/OS-SCIM/v2/Users/ 如果SCIM文档中提到的是http:// [keystone服务器] / v3 / OS-SCIM / v2 / Users /而不是http:// keyrock / v3 / OS-SCIM / v2 / Users /
Lets say we have an application (SCIM consumer) with application_id=app1. 假设我们有一个带有application_id = app1的应用程序(SCIM使用者)。 This application is created using the Horizon front-end, or using the 此应用程序是使用Horizon前端或使用
POST /v3/OS-OAUTH2/consumers
call. 呼叫。 I am not aware of a difference between the two ways of creating an application although i have not tried the latter yet. 尽管我还没有尝试过创建应用程序的两种方式,但是我还没有意识到这两种方法之间的差异。 This is a one-time operation, so we used the web interface to create the application and associated role. 这是一次操作,因此我们使用Web界面来创建应用程序和相关角色。
so we have a role for the application = role1 所以我们对应用程序有一个角色= role1
and we create a user using SCIM 然后使用SCIM创建一个用户
POST /v3/OS-SCIM/v2/Users/
that yields user_id=user1 产生user_id = user1
When i try to authorize him for our application with 当我尝试授权他与我们一起申请时
PUT /v3/OS-ROLES/users/user1/applications/app1/roles/role1
i get the following error: 我收到以下错误:
{
"error": {
"message": "_check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'",
"code": 400,
"title": "Bad Request"
}
}
The next step would be to obtain a resource owner token through KeyRock using 下一步将是使用以下方法通过KeyRock获取资源所有者令牌:
POST [KeyStone server]/oauth2/token
But that is moot because of the above error. 但这是有争议的,因为上面的错误。
Logging into the KeyRock user interface with user1 gives the error: "You are not authorized for any projects." 使用user1登录到KeyRock用户界面会出现错误:“您无权进行任何项目。” I assume this is because user1 is not authorized for an organisation. 我认为这是因为user1没有获得组织授权。 user1 is invisible to other users or the admin in the KeyRock user interface so i cannot assign the necessary authorizations. user1对其他用户或KeyRock用户界面中的admin不可见,因此我无法分配必要的授权。
Any ideas anyone? 有任何想法吗? Which roles does user1 still need to have and how to assign them so that KeyRock is satisfied? user1仍然需要拥有哪些角色,以及如何分配它们才能满足KeyRock的要求?
1 个解决方案
解决方案1
1 2016-07-21 11:21:19
After looking deep into your issue, it turns out that it might be related to the lack of the new user's default organization . 在深入研究您的问题之后,事实证明这可能与缺少新用户的默认组织有关 。 Even though requests to SCIM API Users endpoint should create only users, it is certain that KeyRock users have internally a default organization, which cannot be seen from the outside. 即使对SCIM API用户终结点的请求应仅创建用户,但可以肯定KeyRock用户在内部具有默认组织,这从外部看不到。 Since it makes sense to create this organization automatically as well, we just made a few improvements in the SCIM controller at KeyRock that take charge of this. 由于也可以自动创建该组织,因此我们在KeyRock的SCIM控制器中做了一些改进,以进行管理。 You can take a look at the changes in our GitHub repository . 您可以查看GitHub存储库中的更改。
I myself made sure that this should solve your issue, by following the same flow (note that the value of the X-Auth-Token header is an admin token and that the Host header should be your Keystone endpoint): 我本人通过遵循相同的流程来确保这可以解决您的问题(请注意, X-Auth-Token标头的值是一个管理令牌,而Host标头应该是您的Keystone端点):
Register a user through SCIM API:
通过SCIM API 注册用户 : POST /v3/OS-SCIM/v2/Users HTTP/1.1 Host: localhost:5000 Accept: */* Content-Type: application/json X-Auth-Token: 6bd914d9976c448a98b83ccaf5931c4e Content-Length: 55 { "userName": "foo@foo.bar", "password": "foobar" }Which returns the following response:
它返回以下响应: HTTP/1.1 201 Created Vary: X-Auth-Token Content-Type: application/json Content-Length: 276 { "userName": "foo@foo.bar", "urn:scim:schemas:extension:keystone:2.0": { "domain_id": "default", "default_project_id": "c590cea2b37c4f1c9ca94a015837cde9" }, "active": true, "id": "foo-foo-bar", "schemas": [ "urn:scim:schemas:core:2.0", "urn:scim:schemas:extension:keystone:2.0" ] }Authorize the newly created user for the application
app1by assigning them the rolerole1:通过为他们分配角色role1来为应用程序app1授权新创建的用户 :PUT /v3/OS-ROLES/users/foo-foo-bar/applications/app1/roles/role1 HTTP/1.1 Host: localhost:5000 Accept: */* Content-Type: application/json X-Auth-Token: fd817b31444141a7a8a15d6d6afd2078Which in turn returns the following success response:
依次返回以下成功响应: HTTP/1.1 204 No Content Vary: X-Auth-Token Content-Length: 0After this, I was finally able to obtain a resource owner OAuth2 token , as you requested (the
Authorizationheader includes the OAuth2 credentials ofapp1).之后,我终于能够按照您的请求获取资源所有者OAuth2令牌 ( Authorization标头包含app1的OAuth2凭据)。POST /oauth2/token HTTP/1.1 Host: localhost:8000 Accept: */* Authorization: Basic 12345678abcdefgh= Content-Type: application/x-www-form-urlencoded Content-Length: 56 grant_type=password&username=foo@foo.bar&password=foobarAnd the token is at last returned:
令牌最终返回: HTTP/1.0 200 OK Vary: Accept-Language, Cookie Content-Type: application/json { "access_token": "JYjCV2H8QNakRPUqqdoAHZmpmD0vgQ", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "snnS8djsYw62aUtl9Szk9BBqti36jF" }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.