By design, domain-specific roles are visible within their owning domains only. In other words, domain-specific role in domain "foo" should not be able to imply a domain-specific role from domain "bar".
To reproduce:
1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a domain-specific role "bar_domain_role" in domain "bar".
3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id>
4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool
{
"role_inference": {
"implies": [
{
"id": "3171089626224021afc0299a0c9b916e",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e"
},
"name": "bar_domain_role"
}
],
"prior_role": {
"id": "306b6d6f97084df983a6f2fa30cf1163",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
},
"name": "foo_domain_role"
}
}
}
vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool
{
"role": {
"domain_id": "0ba1cc88be31429d98866d101d1ed0ba",
"id": "306b6d6f97084df983a6f2fa30cf1163",
"links": {
"self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"
},
"name": "foo_domain_role"
}
}
Fix proposed to branch: master /review. openstack. org/351264
Review: https:/