[Openstack-security] [Bug 1315556] Re: Disabling a domain does not disable the projects in that domain
Thierry Carrez
thierry.carrez+lp at gmail.com
Wed Jun 11 14:59:42 UTC 2014
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => juno-1
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1315556
Title:
Disabling a domain does not disable the projects in that domain
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
User from an enabled domain can still get a token scoped to a project
in a disabled domain.
Steps to reproduce.
1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4. assign "userA" some role for "projectB"
5. disable "domainB"
6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.
Looks like the fix would be the check for the project domain to make
sure it is also enabled. See
https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions
More information about the Openstack-security
mailing list