** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1201487
Title:
listing projects for a user omits those that only have group related
roles
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
The backend drivers currently support two (very similar) functions:
list_user_projects() and get_projects_for_user(). Both claim to
return the list of projects for which a user has a role on. Neither
take into account roles by virtue of group membership. They are used
in the following ways:
uses list_user_projects() is used by:
- The API GET /users/{user_id}/projects
users get_projects_for_user() is used by
- The diablo GET /users/{user_id}/roleRefs (should we still need to support
this?)
- The API GET/tenants, where you get all projects referenced the user in the
token (weird)
- An unused function the v2 controller (which we should delete)
We should rationalize the above to use a single function in the driver
manager (similar to the way we do get_roles_for_user_and_project() ),
that correctly accounts for any projects for a which a user also has
roles by virtue of group membership.
If the os-inherit extension is installed, the above function should
also take into account roles inherited from the domain.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1201487/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
