Fiware KeyRock SCIM API错误:_check_allowed_to_get_and_assign()获得了意外的关键字参数'userName' [英] Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'
问题描述
我们要使用Keystone和Horizon的FIWARE IDM.特别是在注册过程中,我们希望
We want to use the FIWARE IdM, both Keystone and Horizon. Specifically during sign-up we want to
- 创建用户
- 将该用户添加到组织中
- 授权用户使用应用程序
我们已在Docker中心上使用最新的KeyRock Docker映像安装了Keystone和Horizon( https: //hub.docker.com/r/fiware/idm/).
We have installed Keystone and Horizon using the latest KeyRock docker image on the docker hub (https://hub.docker.com/r/fiware/idm/).
由于KeyRock Web界面创建了云组织,因此西班牙等地区的社区用户决定尝试使用SCIM API创建和授权用户:
Because the KeyRock web interface creates Cloud organisations, community users in regions like Spain etc i decided to try to use the SCIM API to create and authorize users:
注意:SCIM API文档( http://docs.keyrock.apiary.io/#reference/scim-2.0 )暗示SCIM调用在KeyRock服务器端口上,但是在Keystone服务器端口上可用.如果SCIM文档提到 http://[keystone 服务器]/v3/OS-SCIM/v2/Users/而不是 http://keyrock/v3/OS-SCIM/v2/Users/
Note: The SCIM API documents (http://docs.keyrock.apiary.io/#reference/scim-2.0) imply the SCIM calls are on the KeyRock server port, however they are available on the Keystone server port. The SCIM documentation would be clearer if it mentioned http://[keystone server]/v3/OS-SCIM/v2/Users/ instead of http://keyrock/v3/OS-SCIM/v2/Users/
可以说我们有一个带有application_id = app1的应用程序(SCIM使用者).此应用程序是使用Horizon前端或
Lets say we have an application (SCIM consumer) with application_id=app1. This application is created using the Horizon front-end, or using the
POST /v3/OS-OAUTH2/consumers
打电话.尽管我还没有尝试过创建应用程序的两种方式,但是我还没有意识到这两种方法之间的差异.这是一次操作,因此我们使用Web界面来创建应用程序和相关角色.
call. I am not aware of a difference between the two ways of creating an application although i have not tried the latter yet. This is a one-time operation, so we used the web interface to create the application and associated role.
所以我们对应用程序有一个角色= role1
so we have a role for the application = role1
然后我们使用SCIM创建一个用户
and we create a user using SCIM
POST /v3/OS-SCIM/v2/Users/
产生user_id = user1
that yields user_id=user1
当我尝试授权他使用我们的应用程序
When i try to authorize him for our application with
PUT /v3/OS-ROLES/users/user1/applications/app1/roles/role1
我收到以下错误:
{
"error": {
"message": "_check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'",
"code": 400,
"title": "Bad Request"
}
}
下一步是通过KeyRock使用
The next step would be to obtain a resource owner token through KeyRock using
POST [KeyStone server]/oauth2/token
但这是有争议的,因为上述错误.
But that is moot because of the above error.
使用user1登录KeyRock用户界面会显示错误: 您无权进行任何项目."我认为这是因为user1没有获得组织授权. user1对其他用户或KeyRock用户界面中的管理员不可见,因此我无法分配必要的授权.
Logging into the KeyRock user interface with user1 gives the error: "You are not authorized for any projects." I assume this is because user1 is not authorized for an organisation. user1 is invisible to other users or the admin in the KeyRock user interface so i cannot assign the necessary authorizations.
有任何想法吗? user1仍需要拥有哪些角色,以及如何分配它们才能满足KeyRock的要求?
Any ideas anyone? Which roles does user1 still need to have and how to assign them so that KeyRock is satisfied?
推荐答案
深入研究您的问题之后,事实证明这可能与新用户默认组织的缺乏有关.即使对SCIM API用户终结点的请求应仅创建用户,但可以确定KeyRock用户在内部具有默认组织,这从外部看不到.由于也可以自动创建该组织,因此我们在KeyRock的SCIM控制器中进行了一些改进,以进行管理.您可以查看我们的GitHub存储库中的更改.
After looking deep into your issue, it turns out that it might be related to the lack of the new user's default organization. Even though requests to SCIM API Users endpoint should create only users, it is certain that KeyRock users have internally a default organization, which cannot be seen from the outside. Since it makes sense to create this organization automatically as well, we just made a few improvements in the SCIM controller at KeyRock that take charge of this. You can take a look at the changes in our GitHub repository.
我本人通过遵循相同的流程来确保这可以解决您的问题(请注意,X-Auth-Token标头的值是 admin 令牌,而Host标头应为您的Keystone端点):
I myself made sure that this should solve your issue, by following the same flow (note that the value of the X-Auth-Token header is an admin token and that the Host header should be your Keystone endpoint):
-
通过SCIM API
-
注册用户:
Register a user through SCIM API:
POST /v3/OS-SCIM/v2/Users HTTP/1.1
Host: localhost:5000
Accept: */*
Content-Type: application/json
X-Auth-Token: 6bd914d9976c448a98b83ccaf5931c4e
Content-Length: 55
{
"userName": "foo@foo.bar",
"password": "foobar"
}
哪个返回以下响应:
HTTP/1.1 201 Created
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 276
{
"userName": "foo@foo.bar",
"urn:scim:schemas:extension:keystone:2.0": {
"domain_id": "default",
"default_project_id": "c590cea2b37c4f1c9ca94a015837cde9"
},
"active": true,
"id": "foo-foo-bar",
"schemas": [
"urn:scim:schemas:core:2.0",
"urn:scim:schemas:extension:keystone:2.0"
]
}
为应用程序app1授予新创建的用户,方法是为他们分配角色role1:
Authorize the newly created user for the application app1 by assigning them the role role1:
PUT /v3/OS-ROLES/users/foo-foo-bar/applications/app1/roles/role1 HTTP/1.1
Host: localhost:5000
Accept: */*
Content-Type: application/json
X-Auth-Token: fd817b31444141a7a8a15d6d6afd2078
依次返回以下成功响应:
Which in turn returns the following success response:
HTTP/1.1 204 No Content
Vary: X-Auth-Token
Content-Length: 0
此后,我终于能够按照您的要求获得资源所有者的OAuth2令牌(Authorization标头包含app1的OAuth2凭据).
After this, I was finally able to obtain a resource owner OAuth2 token, as you requested (the Authorization header includes the OAuth2 credentials of app1).
POST /oauth2/token HTTP/1.1
Host: localhost:8000
Accept: */*
Authorization: Basic 12345678abcdefgh=
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
grant_type=password&username=foo@foo.bar&password=foobar
最后返回令牌:
HTTP/1.0 200 OK
Vary: Accept-Language, Cookie
Content-Type: application/json
{
"access_token": "JYjCV2H8QNakRPUqqdoAHZmpmD0vgQ",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "snnS8djsYw62aUtl9Szk9BBqti36jF"
}
这篇关于Fiware KeyRock SCIM API错误:_check_allowed_to_get_and_assign()获得了意外的关键字参数'userName'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
