yahoo-eng-team team mailing list archive

[OpenStack Infra <1593813@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/339558
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=47d4d08ecb6804841d6de640afed8ca743f254b3
Submitter: Jenkins
Branch:    master

commit 47d4d08ecb6804841d6de640afed8ca743f254b3
Author: Sean Perry <sean.perry@xxxxxxx>
Date:   Thu Sep 15 11:04:14 2016 -0700

    Give domain admin rights to domain specific implied roles
    
    Currently this is not working because of our default
    policy.v3cloudsample.json file. Add a new rule to check that the prior
    role's domain ID matches the domain ID of the user.
    
    Co-Authored-By: David Stanek <dstanek@xxxxxxxxxxx>
    Change-Id: Id1f5ccac3c639a44b33780b001e401bab195d8b3
    Closes-Bug: #1593813


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1593813

Title:
  domain admin unable to setup a domain-specific role to imply another
  domain-specific role in the same domain

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  With policy.v3cloudsample.json, domain admin of a domain is unable to
  setup a prior domain-specific role to imply another domain-specific
  role in the same domain. Per design, this is allowed.

  To reproduce.

  1. Create "DomainA"
  2. Create domain user "foo" in "DomainA"
  3. Make "foo" the domain admin of "DomainA"
  4. Get a DA token for "foo"
  5. As DA, create a domain-specific role "AppDev" in "DomainA"
  6. As DA, create a domain-specific role "AppAdmin" in "DomainA"
  7. As DA, try to make "AppAdmin" imples "AppDev" and prepare to receive a HTTP 403 response

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1593813/+subscriptions