Its a feature. A trust is assumed to be the smallest chunk of delegated roles possible to perform an action. If a user does not have all those roles, the trustor should be informed immediately that the trust is no longer viable.
** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1546039 Title: If one trustor role is removed, the trust cannot be used Status in OpenStack Identity (keystone): Invalid Bug description: If a trust is created with a list of roles, when the trust is used by the trustee to obtain a token, we first make sure that the trustor still has all the delegated roles. However, the way the code is written, if any have been removed, we immediately fail the token creation, rather than, instead, grant the token with the remaining roles. The current exception comment suggests that this was not our intention. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1546039/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp