Public bug reported: Global roles should only be able to imply other global roles, it should not be able to imply domain-specific roles. Domain-specific role visibility should be limited to its owning domain only.
To reproduce: 1. create a domain-specific role "foo_domain_role" in domain "foo". 2. create a global role "foo_admin". 3. PUT /v3/roles/<foo_admin_role_id>/implies/<foo_domain_role_id> 4. list imply roles for "foo_admin" and you'll see the imply relationship vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77/implies | python -mjson.tool { "role_inference": { "implies": [ { "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" }, { "id": "c256b7047f514515b3138d9efb594b21", "links": { "self": "http://10.0.2.15/identity/v3/roles/c256b7047f514515b3138d9efb594b21" }, "name": "bar_admin" } ], "prior_role": { "id": "45038d5e628b44c1857f33e839b06c77", "links": { "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77" }, "name": "foo_admin" } } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77 | python -mjson.tool { "role": { "domain_id": null, "id": "45038d5e628b44c1857f33e839b06c77", "links": { "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77" }, "name": "foo_admin" } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool { "role": { "domain_id": "0ba1cc88be31429d98866d101d1ed0ba", "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" } } ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1590578 Title: global role should not be able to imply domain-specific role Status in OpenStack Identity (keystone): New Bug description: Global roles should only be able to imply other global roles, it should not be able to imply domain-specific roles. Domain-specific role visibility should be limited to its owning domain only. To reproduce: 1. create a domain-specific role "foo_domain_role" in domain "foo". 2. create a global role "foo_admin". 3. PUT /v3/roles/<foo_admin_role_id>/implies/<foo_domain_role_id> 4. list imply roles for "foo_admin" and you'll see the imply relationship vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77/implies | python -mjson.tool { "role_inference": { "implies": [ { "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" }, { "id": "c256b7047f514515b3138d9efb594b21", "links": { "self": "http://10.0.2.15/identity/v3/roles/c256b7047f514515b3138d9efb594b21" }, "name": "bar_admin" } ], "prior_role": { "id": "45038d5e628b44c1857f33e839b06c77", "links": { "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77" }, "name": "foo_admin" } } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/45038d5e628b44c1857f33e839b06c77 | python -mjson.tool { "role": { "domain_id": null, "id": "45038d5e628b44c1857f33e839b06c77", "links": { "self": "http://10.0.2.15/identity/v3/roles/45038d5e628b44c1857f33e839b06c77" }, "name": "foo_admin" } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool { "role": { "domain_id": "0ba1cc88be31429d98866d101d1ed0ba", "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1590578/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp