Although we can do something like [1], the effective role assignments will be empty because [2]. Looks like this is not a bug after all :)
[1] http://paste.openstack.org/show/595788/ [2] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L675-L691 ** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1657865 Title: It is possible to create cross domain implied roles Status in OpenStack Identity (keystone): Invalid Bug description: Since we can't assign a project a role from a different domain, it is expected to not create implied roles from different domains as well. For example: * user1 * project1 - domainA * role1 - domainA * role2 - domainB * create an assignment: user1/project1/role1 If we create a rule where role1 implies role2, we would bypass the domain restriction. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1657865/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
