yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1546039] [NEW] If one trustor role is removed, the trust cannot be used

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Feb 2016 10:53:23 -0000
Reply-to: Bug 1546039 <1546039@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If a trust is created with a list of roles, when the trust is used by
the trustee to obtain a token, we first make sure that the trustor still
has all the delegated roles. However, the way the code is written, if
any have been removed, we immediately fail the token creation, rather
than, instead, grant the token with the remaining roles. The current
exception comment suggests that this was not our intention.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546039

Title:
  If one trustor role is removed, the trust cannot be used

Status in OpenStack Identity (keystone):
  New

Bug description:
  If a trust is created with a list of roles, when the trust is used by
  the trustee to obtain a token, we first make sure that the trustor
  still has all the delegated roles. However, the way the code is
  written, if any have been removed, we immediately fail the token
  creation, rather than, instead, grant the token with the remaining
  roles. The current exception comment suggests that this was not our
  intention.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546039/+subscriptions

Follow ups

[Bug 1546039] Re: If one trustor role is removed, the trust cannot be used
From: Adam Young, 2016-02-16