Reviewed: https://review.openstack.org/374463 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e88097f4c0245439d15df490f4b097f2e9def9c9 Submitter: Jenkins Branch: master
commit e88097f4c0245439d15df490f4b097f2e9def9c9 Author: Sean Perry <[email protected]> Date: Wed Sep 21 16:59:47 2016 -0700 Add domain check in domain-specific role implication Forbids implication between domain-specific roles from different domains Change-Id: I9d3b9747df04b425f8c708bb3436569f2baf47c8 Co-Authored-By: Steve Martinelli <[email protected]> Co-Authored-By: Mikhail Nikolaenko <[email protected]> Closes-Bug: #1590583 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1590583 Title: domain-specific role in one domain should not be able to imply a domain-specific role from another domain Status in OpenStack Identity (keystone): Fix Released Bug description: By design, domain-specific roles are visible within their owning domains only. In other words, domain-specific role in domain "foo" should not be able to imply a domain-specific role from domain "bar". To reproduce: 1. create a domain-specific role "foo_domain_role" in domain "foo". 2. create a domain-specific role "bar_domain_role" in domain "bar". 3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id> 4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool { "role_inference": { "implies": [ { "id": "3171089626224021afc0299a0c9b916e", "links": { "self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e"; }, "name": "bar_domain_role" } ], "prior_role": { "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"; }, "name": "foo_domain_role" } } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool { "role": { "domain_id": "0ba1cc88be31429d98866d101d1ed0ba", "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163"; }, "name": "foo_domain_role" } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1590583/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
