Reviewed: https://review.openstack.org/339558
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=47d4d08ecb6804841d6de640afed8ca743f254b3
Submitter: Jenkins
Branch: master
commit 47d4d08ecb6804841d6de640afed8ca743f254b3
Author: Sean Perry <sean.pe...@hpe.com>
Date: Thu Sep 15 11:04:14 2016 -0700
Give domain admin rights to domain specific implied roles
Currently this is not working because of our default
policy.v3cloudsample.json file. Add a new rule to check that the prior
role's domain ID matches the domain ID of the user.
Co-Authored-By: David Stanek <dsta...@dstanek.com>
Change-Id: Id1f5ccac3c639a44b33780b001e401bab195d8b3
Closes-Bug: #1593813
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1593813
Title:
domain admin unable to setup a domain-specific role to imply another
domain-specific role in the same domain
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
With policy.v3cloudsample.json, domain admin of a domain is unable to
setup a prior domain-specific role to imply another domain-specific
role in the same domain. Per design, this is allowed.
To reproduce.
1. Create "DomainA"
2. Create domain user "foo" in "DomainA"
3. Make "foo" the domain admin of "DomainA"
4. Get a DA token for "foo"
5. As DA, create a domain-specific role "AppDev" in "DomainA"
6. As DA, create a domain-specific role "AppAdmin" in "DomainA"
7. As DA, try to make "AppAdmin" imples "AppDev" and prepare to receive a
HTTP 403 response
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1593813/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
