← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #14323

[Bug 1318677] [NEW] Roles applied on Group does not reflect

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I have policies which take into effect the project_id and the user role
to decide whether the user is authorized to perform any operation. If I
assign a role to user explicitly, everything works fine.

Now, I wanted to make use of Groups concept.
Therefore , I Created a group and assigned a role to the group which I have used in the policy rules.
When I create an user, instead of assigning role to user and I assign it to group since  user belonging to a group should implicitly get the role that is being applied on a group but this does not work.

Verification:
Policy rules fails to take effect since doing a GET on the user , the roles are shown empty. Therefore , it seems like roles applied on the group never takes effect.

Note: Using v3 GET API  , listing roles on a group works but getting a
roles for a user does not show the role present for the group for which
the user belongs to.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: groups keystone roles

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1318677

Title:
  Roles applied on Group does not reflect

Status in OpenStack Identity (Keystone):
  New

Bug description:
  I have policies which take into effect the project_id and the user
  role to decide whether the user is authorized to perform any
  operation. If I assign a role to user explicitly, everything works
  fine.

  Now, I wanted to make use of Groups concept.
  Therefore , I Created a group and assigned a role to the group which I have used in the policy rules.
  When I create an user, instead of assigning role to user and I assign it to group since  user belonging to a group should implicitly get the role that is being applied on a group but this does not work.

  Verification:
  Policy rules fails to take effect since doing a GET on the user , the roles are shown empty. Therefore , it seems like roles applied on the group never takes effect.

  Note: Using v3 GET API  , listing roles on a group works but getting a
  roles for a user does not show the role present for the group for
  which the user belongs to.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1318677/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next