Actually, while I agree that v3 sample policy file is not the default, this report highlights an issue: A recent modification to the v3 sample police file introduced a bug that enables 2), and potentially 3) as well. It should not be possible to assign a role on a different domain unless you have domain or cloud admin rights to that domain. The modification tried to simplify the checking logic, but, I think, oversimplified it:
Actually, while I agree that v3 sample policy file is not the default, this report highlights an issue: A recent modification to the v3 sample police file introduced a bug that enables 2), and potentially 3) as well. It should not be possible to assign a role on a different domain unless you have domain or cloud admin rights to that domain. The modification tried to simplify the checking logic, but, I think, oversimplified it:
Change responsible: https:/ /github. com/openstack/ keystone/ commit/ 0496466821c1ff6 e7d4209233b6c67 1f88aadc50# diff-c391c57d18 7de2cc248667c70 4e28ac3
-