OpenStack Identity (keystone)

Disabling a domain does not disable the projects in that domain

Bug #1315556 reported by Guang Yee on 2014-05-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Morgan Fainberg	OpenStack Identity (keystone) 2014.2 "juno"
	Icehouse	Fix Released	High	Dolph Mathews	OpenStack Identity (keystone) 2014.1.4

Bug Description

User from an enabled domain can still get a token scoped to a project in a disabled domain.

Steps to reproduce.

1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4. assign "userA" some role for "projectB"
5. disable "domainB"
6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.

Looks like the fix would be the check for the project domain to make sure it is also enabled. See

https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-05-03:

Is this a regression?

tags:	added: havana-backport-potential icehouse-backport-potential
tags:	added: security
Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Guang Yee (guang-yee) wrote on 2014-05-05:

I don't think we have a test case for this. We check the project's domain status only if it is specified. For example,

"scope": {
    "project": {
        "name": "projectA",
        "domain": {
            "name": "domainA"
        }
    }
}

However, when project ID is specified, project domain info is absent. Therefore, backend never check the project domain status.

"scope": {
    "project": {
        "id": "<project_id>"
    }
}

Guang Yee (guang-yee) on 2014-05-09

Changed in keystone:
assignee:	nobody → Guang Yee (guang-yee)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-19: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/94251

Changed in keystone:
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2014-05-29

Changed in keystone:
assignee:	Guang Yee (guang-yee) → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-29: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/94251
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025
Submitter: Jenkins
Branch: master

commit 5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025
Author: guang-yee <email address hidden>
Date: Mon May 19 12:14:38 2014 -0700

Make sure scoping to the project of a disabled domain result in 401.

Addresses the problem where we check for the validity of the scoped project,
we did not subsequently making sure its domain is also enabled.

Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353
Closes-Bug: 1315556

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-06-11

Changed in keystone:
milestone:	none → juno-1
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-01: Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/125364

Dolph Mathews (dolph) on 2014-10-01

tags:

removed: havana-backport-potential icehouse-backport-potential security

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-1 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-29: Fix merged to keystone (stable/icehouse)

Reviewed: https://review.openstack.org/125364
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3817e757d1811459f50644cd9660e7a1a6e6335e
Submitter: Jenkins
Branch: stable/icehouse

commit 3817e757d1811459f50644cd9660e7a1a6e6335e
Author: guang-yee <email address hidden>
Date: Mon May 19 12:14:38 2014 -0700

Make sure scoping to the project of a disabled domain result in 401.

Addresses the problem where we check for the validity of the scoped project,
we did not subsequently making sure its domain is also enabled.

    Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353
    Closes-Bug: 1315556
    (cherry picked from commit 5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.