[Openstack-security] [Bug 1315556] Re: Disabling a domain does not disable the projects in that domain
Dolph Mathews
1315556 at bugs.launchpad.net
Sat May 3 17:01:19 UTC 2014
Is this a regression?
** Tags added: havana-backport-potential icehouse-backport-potential
** Tags added: security
** Changed in: keystone
Status: New => Triaged
** Changed in: keystone
Importance: Undecided => High
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1315556
Title:
Disabling a domain does not disable the projects in that domain
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
User from an enabled domain can still get a token scoped to a project
in a disabled domain.
Steps to reproduce.
1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4. assign "userA" some role for "projectB"
5. disable "domainB"
6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.
Looks like the fix would be the check for the project domain to make
sure it is also enabled. See
https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions
More information about the Openstack-security
mailing list