yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1607655] [NEW] domain admin cannot create implied role in default v3 policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kenji Ishii <ken-ishii@xxxxxxxxxxxxx>
Date: Fri, 29 Jul 2016 07:12:00 -0000
Reply-to: Bug 1607655 <1607655@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In policy.v3cloudsample.json, about policies of implied role are below.

"identity:get_implied_role": "rule:cloud_admin",
"identity:list_implied_roles": "rule:cloud_admin",
"identity:create_implied_role": "rule:cloud_admin",
"identity:delete_implied_role": "rule:cloud_admin",
"identity:list_role_inference_rules": "rule:cloud_admin",
"identity:check_implied_role": "rule:cloud_admin",

At the moment, this policy file allow cloud_admin to execute these processes.
However, in some case, domain admin create domain specific roles and create relation between a domain role and global role by the feature of implied role.
So I think these process should be also done by domain admin. But, a domain admin should not be able to do to a global role.

I'm sorry If I misunderstand about this feature.

** Affects: keystone
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1607655

Title:
domain admin cannot create implied role in default v3 policy

Status in OpenStack Identity (keystone):
New

Bug description:
In policy.v3cloudsample.json, about policies of implied role are
below.

I'm sorry If I misunderstand about this feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1607655/+subscriptions

Follow ups

[Bug 1607655] Re: domain admin cannot create implied role in default v3 policy
From: Steve Martinelli, 2016-08-15