...
- the registry admin is professor3
- created for the moment 3 COs: aarc-white.pilots.aarc-project.eu,aarc-yellow.pilots.aarc-project.eu and aarc-blue.pilots.aarc-project.eu
- at each COs correspond a dedicated project in OpenStack
- we are testing the user mapping to the several projects in OpenStack: depending on the role in their COs, users have got different rights in their project
In order to implement the mapping based on the attributes provided by COmanage, new projects and groups have been created on OpenStack. We used the COmanage default groups for giving the proper access rights on OpenStack: in general, the "member" group in COmanage grants to "user" role into Openstack, instead the "admin" group grants the "admin" role. In the following tabel it is reported the role owned by each Openstack group in the several projects:
| aarc-white | aarc-yellow | aarc-blue | aarc-social | |
|---|---|---|---|---|
| white-normal | user | |||
| white-super | admin | |||
| yellow-normal | user | |||
| yellow-super | admin | |||
| blue-normal | user | |||
| blue-super | admin | |||
| social-normal | user | |||
| social-super | admin |
Here an example of the SAML assertion attribute provided by COmanage and that we are using for mapping the user:
| 'entitlement': 'urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:members:member@aarc-white.pilots.aarc-project.eu;urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:admin:member@aarc-white.pilots.aarc-project.eu' |
|---|
Since in the entitlement it is present the value "urn:mace:aarc-project.eu:am03.pilots.aarc-project.eu:admin:member@aarc-white.pilots.aarc-project.eu", the user that has got the admin role in the CO aarc-white.pilots.aarc-project.eu is mapped to the white-super group with the admin role in OpenStack