Fix proposed to branch: master Review: https://review.openstack.org/94251 ** Changed in: keystone Status: Triaged => In Progress -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1315556 Title: Disabling a domain does not disable the projects in that domain Status in OpenStack Identity (Keystone): In Progress Bug description: User from an enabled domain can still get a token scoped to a project in a disabled domain. Steps to reproduce. 1. create domains "domainA" and "domainB" 2. create user "userA" and project "projectA" in "domainA" 3. create user "userB" and project "projectB" in "domainB" 4. assign "userA" some role for "projectB" 5. disable "domainB" 6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled. Looks like the fix would be the check for the project domain to make sure it is also enabled. See https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions