[Openstack-security] [Bug 1315556] Re: Disabling a domain does not disable the projects in that domain
Guang Yee
1315556 at bugs.launchpad.net
Mon May 5 07:01:18 UTC 2014
I don't think we have a test case for this. We check the project's
domain status only if it is specified. For example,
"scope": {
"project": {
"name": "projectA",
"domain": {
"name": "domainA"
}
}
}
However, when project ID is specified, project domain info is absent.
Therefore, backend never check the project domain status.
"scope": {
"project": {
"id": "<project_id>"
}
}
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1315556
Title:
Disabling a domain does not disable the projects in that domain
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
User from an enabled domain can still get a token scoped to a project
in a disabled domain.
Steps to reproduce.
1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4. assign "userA" some role for "projectB"
5. disable "domainB"
6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.
Looks like the fix would be the check for the project domain to make
sure it is also enabled. See
https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions
More information about the Openstack-security
mailing list