yahoo-eng-team team mailing list archive

[Henry Nash <henry.nash@xxxxxxxxxx>]

Public bug reported:

The new capability of is_admin_project is currently only supported for
projects. However, the existing code for token models will return
is_admin_project as True if the attribute has not been set. Hence admin
domain tokens might get interpreted as cloud admin tokens. This is
currently masked by a bug in our policy samples that do not correctly
check for is_admin_project.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1651989

Title:
  domain admin token will be treated as cloud admin

Status in OpenStack Identity (keystone):
  New

Bug description:
  The new capability of is_admin_project is currently only supported for
  projects. However, the existing code for token models will return
  is_admin_project as True if the attribute has not been set. Hence
  admin domain tokens might get interpreted as cloud admin tokens. This
  is currently masked by a bug in our policy samples that do not
  correctly check for is_admin_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1651989/+subscriptions