OpenStack Identity (keystone)

Disable domain doesn't disable users in the domain

Bug #1294735 reported by Haneef Ali
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Medium
Unassigned

Bug Description

If you disable a domain, the users in the domain are not disabled.

Haneef Ali (haneef)
summary: - disable domain
+ Disable domain doesn't disable users in the domain
Revision history for this message
Haneef Ali (haneef) wrote :

Actually I'm not sure whether this is required

Revision history for this message
Dolph Mathews (dolph) wrote :

Are you expecting that disabled attribute to explicitly cascade, or the effect of the disabled attribute on the domain to apply to users to some way that it currently does not?

Changed in keystone:
status: New → Incomplete
Revision history for this message
Haneef Ali (haneef) wrote :

I was expecting the disabled attribute to cascade. If the user's domain is disabled, will he be able to get domain scope token for another domain ( provided he has role in that domain)? I have to check the code. If not then we don't need to cascade it.

Revision history for this message
Dolph Mathews (dolph) wrote :

It was an intentional design decision to not explicitly cascade the state of "enabled" to child objects, but the "effect" should cascade. In other words, disabling a domain should effectively disables users owned by that domain from authenticating at all without affecting the user resources themselves.

Revision history for this message
Jufang Wang (jufang-wang) wrote :

After testing, The existing token for the user in disabled domain can still be validated and working.

Dolph Mathews (dolph)
Changed in keystone:
status: Incomplete → Triaged
importance: Undecided → Medium
Revision history for this message
Samuel de Medeiros Queiroz (samueldmq) wrote :

I couln't reproduce this issue. I think it has already been resolved.

Revision history for this message
Shota Morimoto (shouta-morimoto+openstack-dev) wrote :

I could reproduce this bug with the current HEAD keystone as of 1/17/16.
    --------------------------------------
    shoutm@ubuntu % git log | head -6
    commit a55128044f763f5cfe2fdc57c738eaca97636448
    Merge: 3198b67 d2bbffe
    Author: Jenkins <email address hidden>
    Date: Sun Jan 17 10:09:44 2016 +0000

        Merge "Fedora link is too old and so updated with newer version"
    --------------------------------------

You can see my evidence here.
http://paste.openstack.org/show/484076/

* I couldn't get token for the user whose domain is disabled. (See line no. 197)
* But I still could use a token for the user which was taken when the domain of the user is enabled. (See line no. 206)

I don't know this is intended or not. If not, this should be closed.

Clenimar Filemon (clenimar-filemon)
Changed in keystone:
assignee: nobody → Clenimar Filemon (clenimar-filemon)
assignee: Clenimar Filemon (clenimar-filemon) → nobody
Revision history for this message
Clenimar Filemon (clenimar-filemon) wrote :

I couldn't reproduce Shota's procedure... the token revocation seems pretty right from here. As Dolph noted in comment #4, the Disabled attribute should not cascade, but its effect. In fact, users in a disabled domain are blocked to get a token in token issuance time (thanks Samuel for clarification!).

So I'm marking this as Invalid.

The token revocation can be treated in another topic.

Changed in keystone:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.