OpenStack Identity (keystone)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1287219
Comment #5

Comment 5 for bug 1287219

Revision history for this message

Henry Nash (henry-nash) wrote on 2014-03-07: Re: domain IDs should not be editable

Actually, while I agree that v3 sample policy file is not the default, this report highlights an issue: A recent modification to the v3 sample police file introduced a bug that enables 2), and potentially 3) as well. It should not be possible to assign a role on a different domain unless you have domain or cloud admin rights to that domain. The modification tried to simplify the checking logic, but, I think, oversimplified it:

Change responsible: https://github.com/openstack/keystone/commit/0496466821c1ff6e7d4209233b6c671f88aadc50#diff-c391c57d187de2cc248667c704e28ac3
-