The assertion being made by OP is that the domain which owns the scoped project should become the domain upon which the action is performed, but I would consider that behavior to be a privilege escalation vulnerability. The user is presenting explicit domain-level authorization on a domain-level resource, and would thus be circumventing the intended policy.json behavior.
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1431015 Title: v3/users or groups calls not working without domain_id Status in OpenStack Identity (Keystone): Invalid Bug description: The keystone.common.controller._get_domain_id_for_list_request comment says the below: """Get the domain_id for a v3 list call. If we running with multiple domain drivers, then the caller must specify a domain_id either as a filter or as part of the token scope. """ But keystone instead of pulling the domain information from the token scope (the "or" in that statement), keystone fails with an HTTP 401 if you don't explicitly indicate the domain with the domain_id query parameter, as shown with the following commands: [root@mysystem ~]# curl -k -i -X GET https://127.0.0.1:5000/v3/groups -H "Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" HTTP/1.1 401 Unauthorized content-length: 114 vary: X-Auth-Token server: Apache/2.4.6 (Red Hat) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5 date: Wed, 11 Mar 2015 20:50:31 GMT content-type: application/json www-authenticate: Keystone uri="https://ip9-114-226-167.pok.stglabs.ibm.com:5000" {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} [root@mysystem ~]# curl -k -X GET https://127.0.0.1:5000/v3/auth/tokens -H "Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" -H "X-Subject-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" | python -mjson.tool { "token": { ... "project": { "domain": { "id": "default", "name": "Default" }, "id": "0e2df62a46044405bb63be16ab9e2177", "name": "ibm-default" }, ... "user": { "domain": { "id": "default", "name": "Default" }, "id": "0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9", "name": "root" } } } [root@mysystem ~]# curl -k -i -X GET https://127.0.0.1:5000/v3/groups?domain_id=default -H "Accept: application/json" -H "X-Auth-Token: 7f9254f016784efdb3b1e6fa8bc5e4f7" HTTP/1.1 200 OK ... To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1431015/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp