{"id":13557924,"url":"https://github.com/ging/fiware-keystone-scim","last_synced_at":"2025-04-03T12:31:21.086Z","repository":{"id":33876930,"uuid":"37586681","full_name":"ging/fiware-keystone-scim","owner":"ging","description":"OpenStack Keystone SCIM (System for Cross-domain Identity Management) extenstion","archived":false,"fork":true,"pushed_at":"2015-10-27T08:31:10.000Z","size":178,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":19,"default_branch":"develop","last_synced_at":"2024-11-04T08:36:50.678Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"telefonicaid/fiware-keystone-scim","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ging.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-06-17T09:47:37.000Z","updated_at":"2015-10-25T21:29:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ging/fiware-keystone-scim","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ging%2Ffiware-keystone-scim","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ging%2Ffiware-keystone-scim/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ging%2Ffiware-keystone-scim/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ging%2Ffiware-keystone-scim/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ging","download_url":"https://codeload.github.com/ging/fiware-keystone-scim/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247002311,"owners_count":20867442,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:04:37.552Z","updated_at":"2025-04-03T12:31:20.205Z","avatar_url":"https://github.com/ging.png","language":"Python","funding_links":[],"categories":["Python","others"],"sub_categories":[],"readme":"# Keystone SCIM extension\n\nKeystone SCIM is an OpenStack Keystone extension that enables the management\nof User, Groups and Roles using [SCIM v1.1 standard](\nhttp://www.simplecloud.info). As any Keystone extension, it's designed to be\ninstalled on top of an existing Keystone installation, following Keystone\nrecommendations for extensions.\n\nA brief description of SCIM:\n\n\u003e The SCIM standard was created to simplify user management in the cloud by\ndefining a schema for representing users and groups and a REST API for all\nthe necessary CRUD operations.\n\nSCIM User and Group API are a direct translation of Keystone User and Group\nAPIs, they even share the same security policies (with the exact same names).\n\nOn the other hand, SCIM Roles are slightly different from Keystone Roles: now\nSCIM Roles are _domain aware_. The extension implementation does not make\nany modification to the underlying database, in order to maintain backward\ncompatibility with Keystone Roles API.\n\nSCIM Roles are implemented on top of Keystone Roles, prefixing the `domain\nid` to the role name. You may argue that this is a kinda of a hack, and the\nrelational integrity is not maintained. And that's true, but in this way the\ndatabase schema is not modified and thus the Keystone Roles API can interact\nwith SCIM Roles _out-of-the-box_.\n\n## Installing\n\n### RPM installing on RDO Openstack\n\nInstalling from RPM is pretty straightforward:\n\n```sh\nrpm -Uvh keystone-scim-*.noarch.rpm\n```\n\nOnce installed you can fine-tune the permissions (out-of-the box the\ninstallation configures the permissions to `rule:admin_required` for Role\nmanagement; User and Group management reuses the Keystone permissions).\n\nRestart Keystone server:\n\n```\nsudo service openstack-keystone restart\n```\n\n### TGZ installaton\n\n**TBD**\n\n### Permissions fine tuning\n\nAs SCIM Roles are domain aware, a new set of permissions are defined, to take\ncare of the domain.\n\nSample permissions:\n\n```\n\"identity:scim_get_role\": \"rule:admin_required\"\n\"identity:scim_list_roles\": \"rule:admin_required\"\n\"identity:scim_create_role\": \"rule:admin_required\"\n\"identity:scim_update_role\": \"rule:admin_required\"\n\"identity:scim_delete_role\": \"rule:admin_required\"\n\"identity:scim_get_service_provider_configs\": \"\"\n\"identity:scim_get_schemas\": \"\"\n```\n\nRecommended (and tested) permissions for a Keystone domain aware configuration\n(this config assumes that Keystone policies is configured using\n`policy.v3cloudsample.json`):\n\n```\n\"identity:scim_delete_role\": \"rule:cloud_admin or rule:admin_and_matching_domain_id\"\n\"identity:scim_update_role\": \"rule:cloud_admin or rule:admin_and_matching_domain_id\"\n\"identity:scim_get_role\": \"rule:cloud_admin or rule:admin_and_matching_domain_id\"\n\"identity:scim_list_roles\": \"rule:cloud_admin or rule:admin_and_matching_domain_id\"\n\"identity:scim_create_role\": \"rule:cloud_admin or rule:admin_and_matching_domain_id\"\n\"identity:scim_get_service_provider_configs\": \"\"\n\"identity:scim_get_schemas\": \"\"\n```\n\n## Usage\n\nSCIM extension reuses the authentication and authorization mechanisms provided\nby Keystone. This document assumes that the reader has previous experience\nwith Keystone, but as a reference you can read more about the Keystone\nAuthentication and Authorization mechanism in it's\n[official documentation](https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3.md).\n\nSCIM itself is extensively documented in\n[Core Schema](http://www.simplecloud.info/specs/draft-scim-core-schema-01.html)\nand in [REST API](http://www.simplecloud.info/specs/draft-scim-api-01.html).\n\nGiven that both Keystones Auth mechanisms and SCIM are document, this section\nfocus on running examples, not covering the full API, but giving the reader\nand overview of how this extension should be used.\n\nCreating an User:\n\n```sh\ncurl http://\u003cKEYSTONE\u003e:5000/v3/OS-SCIM/v1/Users \\\n    -s \\\n    -H \"X-Auth-Token: \u003cTOKEN\u003e\" \\\n    -H \"Content-Type: application/json\" \\\n    -d '\n{\n    \"schemas\": [\"urn:scim:schemas:core:1.0\",\n                \"urn:scim:schemas:extension:keystone:1.0\"],\n    \"userName\": \"alice\",\n    \"displayName\": \"Alice Smith\",\n    \"password\": \"passw0rd\",\n    \"emails\": [\n        {\n            \"value\": \"alice@mailhost.com\"\n        }\n    ],\n    \"active\": true,\n    \"urn:scim:schemas:extension:keystone:1.0\": {\n        \"domain_id\": \"91d79dc2211d43a7985ebc27cdd146df\"\n    }\n}'\n```\n\nResponse:\n\n```json\n{\n  \"userName\": \"alice\",\n  \"displayName\": \"Alice Smith\",\n  \"urn:scim:schemas:extension:keystone:1.0\": {\n    \"domain_id\": \"91d79dc2211d43a7985ebc27cdd146df\"\n  },\n  \"emails\": [\n    {\n      \"value\": \"alice@mailhost.com\"\n    }\n  ],\n  \"active\": true,\n  \"id\": \"a5e8c847f7264c5a9f01a22904e3ae93\",\n  \"schemas\": [\n    \"urn:scim:schemas:core:1.0\",\n    \"urn:scim:schemas:extension:keystone:1.0\"\n  ]\n}\n```\n\nListing Users, filtering by `domain_id`:\n\n```sh\ncurl -s -X GET -H \"X-Auth-Token: \u003cTOKEN\u003e\" \\\nhttp://\u003cKEYSTONE\u003e:5000/v3/OS-SCIM/v1/Users?domain_id=\u003cDOMAIN_ID\u003e\n```\n\nResponse:\n\n```json\n{\n  \"Resources\": [\n    {\n      \"active\": true,\n      \"displayName\": \"adm1\",\n      \"id\": \"19041ee7679649879ada04417753ad4d\",\n      \"urn:scim:schemas:extension:keystone:1.0\": {\n        \"domain_id\": \"91d79dc2211d43a7985ebc27cdd146df\"\n      }\n    }\n  ],\n  \"schemas\": [\n    \"urn:scim:schemas:core:1.0\",\n    \"urn:scim:schemas:extension:keystone:1.0\"\n  ]\n}\n```\n\nListing supports pagination as defined by SCIM standard, using `count` and\n`startIndex` query params.\n\nCreating Role:\n\n```json\ncurl http://\u003cKEYSTONE\u003e:5000/v3/OS-SCIM/v1/Roles \\\n    -s \\\n    -H \"X-Auth-Token: \u003cTOKEN\u003e\" \\\n    -H \"Content-Type: application/json\" \\\n    -d '\n{\n  \"schemas\": [\"urn:scim:schemas:extension:keystone:1.0\"],\n  \"name\": \"aRoleName\",\n  \"domain_id\": \"\u003cDOMAIN_ID\u003e\"\n}'\n```\n\nResponse:\n\n```json\n{\n  \"schemas\": [\n    \"urn:scim:schemas:extension:keystone:1.0\"\n  ],\n  \"domain_id\": \"91d79dc2211d43a7985ebc27cdd146df\",\n  \"id\": \"c80481d244454cc7b796d4acf8625a69\",\n  \"name\": \"aRoleName\"\n}\n```\n\n## Building and packaging\n\nIn any Linux RPM based distribution (Centos, RH, etc) with a sane build environment (basically with `rpmbuild`\ninstalled), the RPM package can be built invoking the following command:\n\n```\nsh ./package-keystone-scim.sh\n```\n\n## Hacking\n\nLocal development (by default using `sqlite`). Running a local development\nserver is useful to test a full featured Keystone server with SCIM extension,\nand installation is straightforward following these steps:\n\nSetup a virtualenv (highly recommended).\n\n```sh\nvirtualenv .venv\n```\n\nActivate virtualenv\n\n```sh\nsource .venv/bin/activate\n```\n\nDownload dependencies\n\n```sh\npip install -r requirements.txt\npip install -r test-requirements.txt\npip install tox\n```\n\nRunning tests (functional and unit tests)\n\n```sh\ntox -e py27\n```\n\nSetting up local development server. First populate database (remember that\nthis will use `sqlite`).\n\n```sh\nkeystone-manage db_sync\n```\n\nLaunch server\n\n```sh\nPYTHONPATH=.:$PYTHONPATH keystone-all --config-dir etc\n```\n\nTest SCIM extension\n\n```sh\ncurl http://localhost:5000/v3/OS-SCIM/v1/ServiceProviderConfigs \\\n    -s \\\n    -H \"X-Auth-Token: ADMIN\"\n```\n\nThe response should look like:\n\n```json\n{\n  \"bulk\": {\n    \"maxPayloadSize\": 0,\n    \"supported\": false,\n    \"maxOperations\": 0\n  },\n  \"filter\": {\n    \"supported\": true,\n    \"maxResults\": 9223372036854776000\n  },\n  \"etag\": {\n    \"supported\": false\n  },\n  \"sort\": {\n    \"supported\": false\n  },\n  \"changePassword\": {\n    \"supported\": true\n  },\n  \"authenticationSchemes\": [\n    {\n      \"name\": \"Keytone Authentication\",\n      \"documentationUrl\": \"http://keystone.openstack.org/\",\n      \"primary\": true,\n      \"specUrl\": \"http://specs.openstack.org/openstack/keystone-specs\",\n      \"type\": \"keystonetoken\",\n      \"description\": \"Authentication using Keystone\"\n    }\n  ],\n  \"documentationUrl\": null,\n  \"xmlDataFormat\": {\n    \"supported\": false\n  },\n  \"patch\": {\n    \"supported\": true\n  }\n}\n```\n\n## Known limitations and future work\n\n* It's unclear if SCIM standard specifies or not the format of Error messages.\n  This extension reuses Keystone error messages.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fging%2Ffiware-keystone-scim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fging%2Ffiware-keystone-scim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fging%2Ffiware-keystone-scim/lists"}