Author: Sean Perry <sean.pe...@hpe.com>
Date: Thu Sep 15 11:04:14 2016 -0700
Give domain admin rights to domain specific implied roles
Currently this is not working because of our default
policy.v3cloudsample.json file. Add a new rule to check that the prior
role's domain ID matches the domain ID of the user.
Co-Authored-By: David Stanek <dsta...@dstanek.com>
** Changed in: keystone
Status: In Progress => Fix Released
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
domain admin unable to setup a domain-specific role to imply another
domain-specific role in the same domain
Status in OpenStack Identity (keystone):
With policy.v3cloudsample.json, domain admin of a domain is unable to
setup a prior domain-specific role to imply another domain-specific
role in the same domain. Per design, this is allowed.
1. Create "DomainA"
2. Create domain user "foo" in "DomainA"
3. Make "foo" the domain admin of "DomainA"
4. Get a DA token for "foo"
5. As DA, create a domain-specific role "AppDev" in "DomainA"
6. As DA, create a domain-specific role "AppAdmin" in "DomainA"
7. As DA, try to make "AppAdmin" imples "AppDev" and prepare to receive a
HTTP 403 response
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : firstname.lastname@example.org
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp