Public bug reported: By design, domain-specific roles are visible within their owning domains only. In other words, domain-specific role in domain "foo" should not be able to imply a domain-specific role from domain "bar".
To reproduce: 1. create a domain-specific role "foo_domain_role" in domain "foo". 2. create a domain-specific role "bar_domain_role" in domain "bar". 3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id> 4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool { "role_inference": { "implies": [ { "id": "3171089626224021afc0299a0c9b916e", "links": { "self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e" }, "name": "bar_domain_role" } ], "prior_role": { "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" } } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool { "role": { "domain_id": "0ba1cc88be31429d98866d101d1ed0ba", "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" } } ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1590583 Title: domain-specific role in one domain should not be able to imply a domain-specific role from another domain Status in OpenStack Identity (keystone): New Bug description: By design, domain-specific roles are visible within their owning domains only. In other words, domain-specific role in domain "foo" should not be able to imply a domain-specific role from domain "bar". To reproduce: 1. create a domain-specific role "foo_domain_role" in domain "foo". 2. create a domain-specific role "bar_domain_role" in domain "bar". 3. PUT /v3/roles/<foo_domain_role_id>/implies/<bar_domain_role_id> 4. list implies for "foo_domain_role" and you'll see "bar_domain_role" on the list vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163/implies | python -mjson.tool { "role_inference": { "implies": [ { "id": "3171089626224021afc0299a0c9b916e", "links": { "self": "http://10.0.2.15/identity/v3/roles/3171089626224021afc0299a0c9b916e" }, "name": "bar_domain_role" } ], "prior_role": { "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" } } } vagrant@vagrant-ubuntu-trusty-64:~$ curl -s -H 'X-Auth-Token: 748aa5d5c13c4df2b8d6fb2075ca4c39' http://10.0.2.15:5000/v3/roles/306b6d6f97084df983a6f2fa30cf1163 | python -mjson.tool { "role": { "domain_id": "0ba1cc88be31429d98866d101d1ed0ba", "id": "306b6d6f97084df983a6f2fa30cf1163", "links": { "self": "http://10.0.2.15/identity/v3/roles/306b6d6f97084df983a6f2fa30cf1163" }, "name": "foo_domain_role" } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1590583/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp