Disabling a domain does not disable the projects in that domain
Bug #1315556 reported by
Guang Yee
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Morgan Fainberg | ||
Icehouse |
Fix Released
|
High
|
Dolph Mathews |
Bug Description
User from an enabled domain can still get a token scoped to a project in a disabled domain.
Steps to reproduce.
1. create domains "domainA" and "domainB"
2. create user "userA" and project "projectA" in "domainA"
3. create user "userB" and project "projectB" in "domainB"
4. assign "userA" some role for "projectB"
5. disable "domainB"
6. authenticate to get a token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.
Looks like the fix would be the check for the project domain to make sure it is also enabled. See
https:/
Changed in keystone: | |
assignee: | nobody → Guang Yee (guang-yee) |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Morgan Fainberg (mdrnstm) |
Changed in keystone: | |
milestone: | none → juno-1 |
status: | Fix Committed → Fix Released |
tags: | removed: havana-backport-potential icehouse-backport-potential security |
Changed in keystone: | |
milestone: | juno-1 → 2014.2 |
To post a comment you must log in.
Is this a regression?