yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1390640] Re: /auth/domains incorrectly includes domains with only user inherited roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chuck Short <chuck.short@xxxxxxxxxxxxx>
Date: Thu, 29 Jan 2015 15:03:42 -0000
Reply-to: Bug 1390640 <1390640@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/juno
   Importance: Undecided
       Status: New

** Changed in: keystone/juno
    Milestone: None => 2014.2.2

** Changed in: keystone/juno
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1390640

Title:
  /auth/domains incorrectly includes domains with only user inherited
  roles

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone juno series:
  Fix Committed

Bug description:
  The /auth/domains API call is meant to return list of domains for
  which the user could ask for a domain-scoped token - i.e. any domain
  on which they have a role. However, the code manager/driver method it
  calls (list_domain_for_user) does not differentiate between inherited
  and non-inherited user roles - and hence might include domains for
  which the user has no effective role (a domain inherited role ONLY
  applies to the projects within that domain, not to the domain itself).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1390640/+subscriptions

References

[Bug 1390640] [NEW] /auth/domains incorrectly includes domains with only user inherited roles
From: Henry Nash, 2014-11-07