Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354683 - Users created is tightly coupled with the authentication provider name
Summary: Users created is tightly coupled with the authentication provider name
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.2.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 22:55 UTC by rodrigo ramalho
Modified: 2016-10-30 22:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-12 00:53:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description rodrigo ramalho 2016-07-11 22:55:39 UTC
Description of problem:
When a identity provider is configured the name is tightly coupled with the users, like showed above:

[root@master ~]# oc get user
NAME      UID                                    FULL NAME   IDENTITIES
admin     b9159e1e-d0f5-11e5-bec7-005056ac5e1e               my_htpasswd_provider:admin
asu45a    4588bafb-0ca4-11e6-a0b5-005056ac5e1e   asu45a Active_Directory:CN=asu45a,OU=.....

The problems is because that name is showed on login screen in case of multiple identity providers, so if the name is updated the users identities reference breaks, without a warning or any kind of notify.

As a solution i think a new attribute "display name" can be used as the friendly name (that will be shown on login screen) and always that a name attribute has changed and a user exists using the provider, a warning should be triggered.

Version-Release number of selected component (if applicable): 3.2


How reproducible: 100%


Steps to Reproduce:
1. Create multiple identity providers
2. Create users using this providers
3. Change identity providers name

Actual results: The users can't login anymore.


Expected results: The users can authenticate normally. 


Additional info:

Comment 1 Jordan Liggitt 2016-07-12 00:53:59 UTC
This is working as designed. A particular identity from a particular identity provider *should* be tightly coupled to the resulting user. 

If all you want to do is customize the appearance on the provider selection page, you can fully customize the selection page, including display name of providers (or layout, or icons, etc). See https://docs.openshift.org/latest/install_config/web_console_customization.html#customizing-the-login-page

If you actually want to rename an identity provider, you can make identities from the new provider add themselves to existing users by changing the mappingMethod from "claim" to "add". See https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users


Note You need to log in before you can comment on or make changes to this bug.