[openstack-dev] [Keystone] Domain check in UserGroupMembership
Ronak Shah
ronak at nuagenetworks.net
Thu Mar 21 18:01:39 UTC 2013
Hi,
I was trying to make sense of the new keystone models looking at the code @
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py
I liked the fact that we have a notion of domains as a global container for
user, group and projects.
I believe since its added as a foreignkey to all these tables, we are
ensuring uniqueness of user, group and projects per domain.
On the same line, I think we are missing a check on the user-group,
user-project relationship also to be unique per domain. Is this a bug or
implementation? If implementation, why?
def add_user_to_group(self, user_id, group_id):
session = self.get_session()
self.get_group(group_id)
self.get_user(user_id)
query = session.query(UserGroupMembership)
query = query.filter_by(user_id=user_id)
query = query.filter_by(group_id=group_id)
rv = query.first()
if rv:
return
with session.begin():
session.add(UserGroupMembership(user_id=user_id,
group_id=group_id))
session.flush()
Above code adds user to group without checking for the common domain.
This allow User A in Domain A associated with Group B in Domain B?
Ideally User A shouldnt be doing anything in Domain B. Isnt it?
Thanks,
Ronak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130321/2b03e75a/attachment.html>
More information about the OpenStack-dev
mailing list