yahoo-eng-team team mailing list archive

[Xuhui Zhen <xzhen@xxxxxxxxxx>]

I created a new user  "user1" in "domain1" with "admin" role. Then created a new domain "domain2" and assigned role "Member" to "user1" on  "domain2".  I tried following combinations to repo :
1.  Request token by specifying authenticate domain "domain1" in "identity", also passing domain2 as scope. It worked fine!
2.  Request token by specifying authenticate domain "domain2" in "identity", also passing domain2 as scope. This one Failed!
3.  Request token not specifying domain in "identity", also passing domain2 as scope. This one Failed!

I went through the implementation, user only belongs to one domain though user's roles can be assigned to multiple domains. Authentication has to be against the domain specified when creating this user. So I think this behavior makes sense and is by design. 
Please reopen it if you this is different from what you saw.

Thanks,
Xuhui

** Changed in: keystone
       Status: New => In Progress

** Changed in: keystone
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1261847

Title:
  User with admin role in one domain and role member in another domain,
  usually works as admin but can not generate a token using role member

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  When create a user with admin role in a domain 'X' and assigning the
  same user role as a member 'Y' domain. When requesting a token in v3
  keystone for the 'Y' domain, an error is returned to the user is not
  associated with this domain, and the user can not progress.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1261847/+subscriptions