/auth/domains incorrectly includes domains with only group inherited roles
Bug #1385643 reported by
Henry Nash
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Henry Nash | ||
Juno |
Fix Released
|
Medium
|
Brant Knudson |
Bug Description
The /auth/domains API call is meant to return list of domains for which the user could ask for a domain-scoped token - i.e. any domain on which they have a role. However, the code does not differentiate between inherited and non-inherited group roles - and hence might include domains for which the user has no effective role (a domain inherited role ONLY applies to the projects within that domain, not to the domain itself).
Changed in keystone: | |
status: | New → Triaged |
summary: |
- /auth/domains incorrectly includes domains with only inherited roles + /auth/domains incorrectly includes domains with only group inherited + roles |
description: | updated |
tags: | added: juno-backport-potential |
Changed in keystone: | |
milestone: | none → kilo-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
To post a comment you must log in.
I found this doing a WIP code experiment for making assignments pluggable (see: https:/ /review. openstack. org/#/c/ 129397/). It is clear that we have far too many ways of trying to work out what roles are effective on a given project or domain. Once we have improved the backend list_role_ assignments( ) method (see: https:/ /review. openstack. org/#/c/ 116682/), we should consider re-writing many of the these calls to be based on the common method.