Public bug reported: Domain-specific roles are visible in their owning domains only. Therefore, assigning a domain-specific role in a domain to users for a project in another domain should be prohibited.
To reproduce: 1. create a domain-specific "foo_domain_role" in the "foo" domain. 2. create a project "bar_project" in "bar" domain. 3. create a user "bar_user" in "bar" domain. 4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1590587 Title: assigning a domain-specific role in domain A for a user to a project in domain B should be prohibited Status in OpenStack Identity (keystone): New Bug description: Domain-specific roles are visible in their owning domains only. Therefore, assigning a domain-specific role in a domain to users for a project in another domain should be prohibited. To reproduce: 1. create a domain-specific "foo_domain_role" in the "foo" domain. 2. create a project "bar_project" in "bar" domain. 3. create a user "bar_user" in "bar" domain. 4. now assign the role "foo_domain_role" to user "bar_user" for "bar_project", this should yield 403 instead of 201. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1590587/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp