yahoo-eng-team team mailing list archive

[Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

The /auth/domains API call is meant to return list of domains for which
the user could ask for a domain-scoped token - i.e. any domain on which
they have a role. However, the code does not differentiate between
inherited and non-inherited user roles - and hence might include domains
for which the user has no effective role (a domain inherited role ONLY
applies to the projects within that domain, not to the domain itself).

** Affects: keystone
     Importance: High
     Assignee: Henry Nash (henry-nash)
         Status: New

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone
   Importance: Medium => High

** Changed in: keystone
     Assignee: (unassigned) => Henry Nash (henry-nash)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1390640

Title:
  /auth/domains incorrectly includes domains with only user inherited
  roles

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The /auth/domains API call is meant to return list of domains for
  which the user could ask for a domain-scoped token - i.e. any domain
  on which they have a role. However, the code does not differentiate
  between inherited and non-inherited user roles - and hence might
  include domains for which the user has no effective role (a domain
  inherited role ONLY applies to the projects within that domain, not to
  the domain itself).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1390640/+subscriptions