[Openstack-security] [openstack/keystone] SecurityImpact review request change I8cb3326952d6e379a457c19d7f8f5f9ee4b29eb0
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Wed Dec 17 19:15:56 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/142554
Log:
commit 6b6be744214e81f0aab9b5c6d5040ec779aea036
Author: Brant Knudson <bknudson at us.ibm.com>
Date: Thu Dec 11 10:40:16 2014 -0600
Fix disabling entities when enabled is ignored
When LDAP is configured so that the `enabled` attribute was ignored
for an entity (user, group, role, project) and a client attempts to
disable the entity, it remains enabled, so a user might think that the
entity was disabled when it's not.
With this change, attempting to disable an entity where `enabled` is
ignored will return a 403 Forbidden error.
Since entities are always enabled when the `enabled` attribute is
ignored, there's no change to reject changes that attempt to enable
the entity.
Closes-Bug: #1241134
SecurityImpact
This is for security hardening.
(cherry picked from commit e62de2c91b5755149146a47e84e61d3642095998)
Conflicts:
keystone/tests/test_backend_ldap.py
Backport note: Conflict was because some tests were moved to unit
tests in Kilo.
Change-Id: I8cb3326952d6e379a457c19d7f8f5f9ee4b29eb0
More information about the Openstack-security
mailing list