Public bug reported: When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the wrong roles can end up in the resulting Keystone token.
The implication is that project scoped tokens would not get any group roles that should be inherited from the domain. ** Affects: keystone Importance: High Assignee: Henry Nash (henry-nash) Status: New ** Changed in: keystone Importance: Undecided => High ** Changed in: keystone Assignee: (unassigned) => Henry Nash (henry-nash) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1389752 Title: Project tokens issued from a saml2 auth are missing inherited group roles Status in OpenStack Identity (Keystone): New Bug description: When building the roles in a Keystone token from a saml2 token, we call assignment_api.get_roles_for_groups() to add in any group roles. This appears to ignore the inheritance flag on the assignment - and puts in all group roles whether inherited or not. This means the wrong roles can end up in the resulting Keystone token. The implication is that project scoped tokens would not get any group roles that should be inherited from the domain. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1389752/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp