X-Map-Roles is missing, can’t be decoded, or is a malformed JSON object.
Tenant Culling Filter
The Tenant Culling filter is used on resources that need further specific tenant id information. The filter looks at all the tenants that Keystone returns for a user to creates and populates a list of them based on the specific roles that were used to grant access to the resource.
General filter information
-
Name: tenant-culling
-
Default Configuration: No configuration
-
Released: v8.7.0.0
-
Bundle: repose-filter-bundle
-
No Configuration Schema
Prerequisites & Postconditions
Required Request Headers
-
X-Map-Roles- Identifies the tenant-to-role mapping for all of the user’s tenants and roles. This header is a base 64 encoded JSON map of strings to array of strings (e.g., the base 64 encoding of{"someTenant": ["someRole", "sharedRole"], "otherTenant": ["otherRole", "sharedRole"]}). Roles without a tenant association will be mapped to therepose/domain/roleskey (e.g.,{"repose/domain/roles": ["tenantlessRole"]}). -
X-Relevant-Roles- The roles this user was granted access based on.
Required Preceding Filters
The following filters are used to populate the Required Request Headers:
-
Keystone v2 filter - Populates the
X-Map-Rolesheader needed to determine the appropriate tenant ids. -
Simple RBAC filter / API Validator filter - Either one is required because they set the
X-Relevant-Rolesheader.
Request Headers Created
-
X-Tenant-Id- The tenants that match the roles this request was authorized with. -
X-Map-Roles- The mapping will be updated to only contain those tenants that have a role that matched against relevant roles.
|
These headers prior values will be overwritten where existent. |