Reviewed: https://review.openstack.org/321128 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9e7f24c2353d107e448f4e8a0d926e3968c6673d Submitter: Jenkins Branch: master
commit 9e7f24c2353d107e448f4e8a0d926e3968c6673d Author: Rudolf Vriend <[email protected]> Date: Wed May 25 18:49:47 2016 +0200 Allow domain admins to list users in groups with v3 policy Domain admins (with a domain scoped token) could not list members of groups in their domain or groups of a user in their domain. This was due to 2 reasons: the v3 policy rule 'identity:list_groups_for_user' was not evaluating the users domain and the identity controller method protections of 'list_users_in_group' and 'list_groups_for_user' were not providing the required targets for the rules. Change-Id: Ibf8442a2ceefc2bb0941bd5e7beba6c252b2ab36 Closes-Bug: #1433402 Closes-Bug: #1458994 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1433402 Title: list users in group unauthorised with v3 policy Status in OpenStack Identity (keystone): Fix Released Bug description: Two identity api have unauthorised issue with v3 policy. They are list_users_in_group and list_groups_for_user: The domain admin should have permission to call these two api, but failed. Repo Step: * use v3 policy as config 1. Create domain 2. Create admin user 'userA' under domain (assign admin role to the user with domain scope) 3. Create a normal domain user 'userB' (with domain admin userA's token) 4. Create a normal domain group 'groupB' (with domain admin userA's token) 5. Add userB a member in groupB (with domain admin userA's token) 6. list_users_in_group with groupB's id as param (with domain admin userA's token), unauthorized 7. list_groups_for_user with userB's id as param (with domain admin userA's token), unauthorized Both step 6 and step 7 use the domain token. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1433402/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
