yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #52094
[Bug 1590583] [NEW] domain-specific role in one domain should not be able to imply a domain-specific role from another domain
Public bug reported:
By design, domain-specific roles are visible within their owning domains
only. In other words, domain-specific role in domain "foo" should not be
able to imply a domain-specific role from domain "bar".
To reproduce:
1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a domain-specific role "bar_domain_role" in domain "bar".
3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id>
4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool
{
"role_inference": {
"implies": [
{
"id": "3171089626224021afc0299a0c9b916e",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e";
},
"name": "bar_domain_role"
}
],
"prior_role": {
"id": "306b6d6f97084df983a6f2fa30cf1163",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
},
"name": "foo_domain_role"
}
}
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
"role": {
"domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
"id": "306b6d6f97084df983a6f2fa30cf1163",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
},
"name": "foo_domain_role"
}
}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590583
Title:
domain-specific role in one domain should not be able to imply a
domain-specific role from another domain
Status in OpenStack Identity (keystone):
New
Bug description:
By design, domain-specific roles are visible within their owning
domains only. In other words, domain-specific role in domain "foo"
should not be able to imply a domain-specific role from domain "bar".
To reproduce:
1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a domain-specific role "bar_domain_role" in domain "bar".
3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id>
4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool
{
"role_inference": {
"implies": [
{
"id": "3171089626224021afc0299a0c9b916e",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e";
},
"name": "bar_domain_role"
}
],
"prior_role": {
"id": "306b6d6f97084df983a6f2fa30cf1163",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
},
"name": "foo_domain_role"
}
}
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
"role": {
"domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
"id": "306b6d6f97084df983a6f2fa30cf1163",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163";
},
"name": "foo_domain_role"
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590583/+subscriptions
Follow ups
