yahoo-eng-team team mailing list archive

[Guang Yee <1590587@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Domain-specific roles are visible in their owning domains only.
Therefore, assigning a domain-specific role in a domain to users for a
project in another domain should be prohibited.

To reproduce:

1. create a domain-specific "foo_domain_role" in the "foo" domain.
2. create a project "bar_project" in "bar" domain.
3. create a user "bar_user" in "bar" domain.
4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590587

Title:
  assigning a domain-specific role in domain A for a user to a project
  in domain B should be prohibited

Status in OpenStack Identity (keystone):
  New

Bug description:
  Domain-specific roles are visible in their owning domains only.
  Therefore, assigning a domain-specific role in a domain to users for a
  project in another domain should be prohibited.

  To reproduce:

  1. create a domain-specific "foo_domain_role" in the "foo" domain.
  2. create a project "bar_project" in "bar" domain.
  3. create a user "bar_user" in "bar" domain.
  4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590587/+subscriptions