global role should not be able to imply domain-specific role
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Mikhail Nikolaenko |
Bug Description
Global roles should only be able to imply other global roles, it should not be able to imply domain-specific roles. Domain-specific role visibility should be limited to its owning domain only.
To reproduce:
1. create a domain-specific role "foo_domain_role" in domain "foo".
2. create a global role "foo_admin".
3. PUT /v3/roles/
4. list imply roles for "foo_admin" and you'll see the imply relationship
vagrant@
{
"role_
"implies": [
{
},
},
{
},
}
],
"id": "45038d5e628b44
},
"name": "foo_admin"
}
}
}
vagrant@
{
"role": {
"id": "45038d5e628b44
"links": {
"self": "http://
},
"name": "foo_admin"
}
}
vagrant@
{
"role": {
"id": "306b6d6f97084d
"links": {
"self": "http://
},
"name": "foo_domain_role"
}
}
Changed in keystone: | |
status: | New → Confirmed |
Changed in keystone: | |
milestone: | none → newton-3 |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | newton-3 → none |
Changed in keystone: | |
milestone: | none → newton-rc1 |
I thought the point of having DSR and implied roles was that this exact scenario should be allowed. Since the domain specific roles won't be in the token, this way they get roles when the implied roles are in the token? Or do i have this reversed?