yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1657865] [NEW] It is possible to create cross domain implied roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodrigo Duarte <rodrigodsousa@xxxxxxxxx>
Date: Thu, 19 Jan 2017 19:14:45 -0000
Reply-to: Bug 1657865 <1657865@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Since we can't assign a project a role from a different domain, it is
expected to not create implied roles from different domains as well. For
example:

* user1
* project1 - domainA
* role1 - domainA
* role2 - domainB
* create an assignment: user1/project1/role1

If we create a rule where role1 implies role2, we would bypass the
domain restriction.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1657865

Title:
  It is possible to create cross domain implied roles

Status in OpenStack Identity (keystone):
  New

Bug description:
  Since we can't assign a project a role from a different domain, it is
  expected to not create implied roles from different domains as well.
  For example:

  * user1
  * project1 - domainA
  * role1 - domainA
  * role2 - domainB
  * create an assignment: user1/project1/role1

  If we create a rule where role1 implies role2, we would bypass the
  domain restriction.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1657865/+subscriptions

Follow ups

[Bug 1657865] Re: It is possible to create cross domain implied roles
From: Rodrigo Duarte, 2017-01-20