[Openstack-security] [Bug 1315556] Re: Disabling a domain does not disable the projects in that domain
Dolph Mathews
1315556 at bugs.launchpad.net
Wed Oct 1 14:44:02 UTC 2014
** Also affects: keystone/icehouse
Importance: Undecided
Status: New
** Tags removed: havana-backport-potential icehouse-backport-potential
security
** Changed in: keystone/icehouse
Status: New => In Progress
** Changed in: keystone/icehouse
Importance: Undecided => High
** Changed in: keystone/icehouse
Assignee: (unassigned) => Dolph Mathews (dolph)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1315556
Title:
Disabling a domain does not disable the projects in that domain
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone icehouse series:
In Progress
Bug description:
User from an enabled domain can still get a token scoped to a project
in a disabled domain.
Steps to reproduce.
1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4. assign "userA" some role for "projectB"
5. disable "domainB"
6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.
Looks like the fix would be the check for the project domain to make
sure it is also enabled. See
https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions
More information about the Openstack-security
mailing list