Reviewed: https://review.openstack.org/94251 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025 Submitter: Jenkins Branch: master commit 5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025 Author: guang-yee <guang.yee at hp.com> Date: Mon May 19 12:14:38 2014 -0700 Make sure scoping to the project of a disabled domain result in 401. Addresses the problem where we check for the validity of the scoped project, we did not subsequently making sure its domain is also enabled. Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353 Closes-Bug: 1315556 ** Changed in: keystone Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1315556 Title: Disabling a domain does not disable the projects in that domain Status in OpenStack Identity (Keystone): Fix Committed Bug description: User from an enabled domain can still get a token scoped to a project in a disabled domain. Steps to reproduce. 1. create domains "domainA" and "domainB" 2. create user "userA" and project "projectA" in "domainA" 3. create user "userB" and project "projectB" in "domainB" 4. assign "userA" some role for "projectB" 5. disable "domainB" 6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled. Looks like the fix would be the check for the project domain to make sure it is also enabled. See https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions