yahoo-eng-team team mailing list archive

[Lance Bragstad <lbragstad@xxxxxxxxx>]

Currently, authorization in keystone is explicit in that you must grant
users roles on projects or domains in order for them to get tokens
scoped to those targets. Another option that might be available to you
is to use role inheritance [0]. This API let's you grant roles to users
and groups but let's them be inherited to children projects in the
hierarchy.

[0] https://developer.openstack.org/api-ref/identity/v3/index.html#os-
inherit-api

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1734117

Title:
  Scoping to project which is not on authentication domain is not
  working as expected

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  
  Having user "U" on domain "X" which has admin role on domain "X" and domain "Y"
  domain "X" and domain "Y" have projects "X1" and "Y1" respectively.

  Authenticating with user "U" on domain "X" and scoping to domain "X"
  OK.

  Authenticating with user "U" on domain "X" and scoping to domain "Y"
  OK.

  Authenticating with user "U" on domain "X" and scoping to project "X1" belonging to domain "X"
  OK.

  Authenticating with user "U" on domain "X" and scoping to project "Y1" belonging to domain "Y"
  FAILS.

  I expect the last authentication to succeed, since user has admin role
  on the domain of the project.

  This kind of authentication will succeed if admin role on project "Y"
  will be granted to the user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1734117/+subscriptions