Scoping to project which is not on authentication domain is not working as expected
Bug #1734117 reported by
Evgeny Fedoruk
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Having user "U" on domain "X" which has admin role on domain "X" and domain "Y"
domain "X" and domain "Y" have projects "X1" and "Y1" respectively.
Authenticating with user "U" on domain "X" and scoping to domain "X"
OK.
Authenticating with user "U" on domain "X" and scoping to domain "Y"
OK.
Authenticating with user "U" on domain "X" and scoping to project "X1" belonging to domain "X"
OK.
Authenticating with user "U" on domain "X" and scoping to project "Y1" belonging to domain "Y"
FAILS.
I expect the last authentication to succeed, since user has admin role on the domain of the project.
This kind of authentication will succeed if admin role on project "Y" will be granted to the user.
Revision history for this message
| wangxiyuan (wangxiyuan) wrote | #1 |
Revision history for this message
| Lance Bragstad (lbragstad) wrote | #2 |
| Changed in keystone: | |
| status: | New → Invalid |
To post a comment you must log in.
I think it's a little confuse for the case:
Having user "U" on domain "X" which has admin role on domain "X" and domain "Y"
domain "X" and domain "Y" have projects "X1" and "Y1" respectively.
like this or not:
DomainX contains ProjectX and UserU
DomainY contains PojrectY
UserU has the admin role both in DomainX and DomainY(domain scoped), but doesn't has the role in ProjectX or ProjectY
I think my understanding is wrong. Can you see more here. Thanks.