Reviewed: https://review.openstack.org/605871 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2c8f81af62cd03601fca259647991d5dd7f8d560 Submitter: Zuul Branch: master
commit 2c8f81af62cd03601fca259647991d5dd7f8d560 Author: Lance Bragstad <[email protected]> Date: Thu Sep 27 21:51:12 2018 +0000 Allow project users to retrieve domains This commit adds thorough testing to make sure users who have a role on a project can use project-scoped tokens to call GET /v3/domain/{domain_id} for the domain own their project. These users are not allowed to access domains that they don't have any authorization via project role assignments. This ensures the domains API is tested with these cases and makes the domains API more self-serviceable for users that are not administrators. Change-Id: Ifc100a7a235140fbd07cbafe80983d3c2f17a7dc Closes-Bug: 1794864 Related-Bug: 968696 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1794864 Title: Calling GET /v3/domains/{domain_id} with a project-scoped or domain- scoped token fails Status in OpenStack Identity (keystone): Fix Released Bug description: The policy that protects the identity:get_domain API (GET /v3/domains/{domain_id}) doesn't work as expected when using project- scoped or domain-scoped tokens. If a user has a token scoped to a project within a domain, they should be able to fetch that domain. If a user has a token scoped to a domain, they should be able to call access that API for that domain. Currently, both cases return an HTTP 403 Forbidden. A unit test exposes the broken behavior for project-scoped tokens [0]. [0] https://review.openstack.org/#/c/605560/1 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1794864/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
