assigning a domain-specific role in domain A for a user to a project in domain B should be prohibited
Bug #1590587 reported by
Guang Yee
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Sean Perry |
Bug Description
Domain-specific roles are visible in their owning domains only. Therefore, assigning a domain-specific role in a domain to users for a project in another domain should be prohibited.
To reproduce:
1. create a domain-specific "foo_domain_role" in the "foo" domain.
2. create a project "bar_project" in "bar" domain.
3. create a user "bar_user" in "bar" domain.
4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201.
Changed in keystone: | |
assignee: | nobody → yechengkun (chengkun) |
Changed in keystone: | |
assignee: | yechengkun (chengkun) → nobody |
Changed in keystone: | |
assignee: | nobody → Sean Perry (sean-perry-a) |
Changed in keystone: | |
milestone: | none → newton-rc1 |
To post a comment you must log in.
Is this using policy.json or policy. v3cloudsample. json? And is the assignment done with http, or osc?