yahoo-eng-team team mailing list archive

[OpenStack Infra <1590587@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/365177
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=73bdbe1f87ac3571bb5a348158ad1e4ece73fbcc
Submitter: Jenkins
Branch:    master

commit 73bdbe1f87ac3571bb5a348158ad1e4ece73fbcc
Author: Sean Perry <sean.perry@xxxxxxx>
Date:   Fri Sep 2 16:48:54 2016 -0700

    Project domain must match role domain for assignment
    
    When assigning a Domain specific role to a user it is OK if the user
    is from a different domain, but the project's domain must match the
    role's domain.
    
    Closes-Bug: 1590587
    Change-Id: I1d63415de0130794939998c3e142ebdce9ddf39d


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1590587

Title:
  assigning a domain-specific role in domain A for a user to a project
  in domain B should be prohibited

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Domain-specific roles are visible in their owning domains only.
  Therefore, assigning a domain-specific role in a domain to users for a
  project in another domain should be prohibited.

  To reproduce:

  1. create a domain-specific "foo_domain_role" in the "foo" domain.
  2. create a project "bar_project" in "bar" domain.
  3. create a user "bar_user" in "bar" domain.
  4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1590587/+subscriptions