OpenStack Identity (keystone)

  1. Bug #1806713
  2. Comment #10

Comment 10 for bug 1806713

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/622527
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=31eecfb2a42e44899ea2f72866be33cc7700db65
Submitter: Zuul
Branch: master

commit 31eecfb2a42e44899ea2f72866be33cc7700db65
Author: Lance Bragstad <email address hidden>
Date: Tue Dec 4 18:16:34 2018 +0000

    Add tests for domain users interacting with roles

    This commit adds explicit tests that show how domain users
    are expected to behave with global roles. A subsequent patch
    will do the same for project users.

    Note that these changes are slightly different from the
    policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
    domain users were allowed to get and list global roles. So were
    project users. This behavior is changing because global roles are
    considered global resources of the deployment, and they should be
    managed by system users. Domain users should be able to add and remove
    domain specific roles, which will come in a subsequent series of
    patches. This approach is being taken because it is a safer default
    for a system level resource (roles) and still allows the same
    functionality for domain users through domain-specific roles.

    Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
    Partial-Bug: 1806713
    Partial-Bug: 1805400