possible to grant role to user on domain/project when this domain/user was disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
when domain/user was disabled, we still can grant role to user on domain/project, but doc shows these operations should not be allowed.
see doc: http://
{
...
Setting this attribute to false prevents users from authorizing against this domain or any projects owned by this domain, and prevents users owned by this domain from authenticating or receiving any other authorization. Additionally, all pre-existing tokens applicable to the above entities are immediately invalidated. Re-enabling a domain does not re-enable pre-existing tokens.
}
(morganfainberg): It is likely the documentation should be updated as well to make the expected behavior a bit more clear.
Changed in keystone: | |
assignee: | nobody → wanghong (w-wanghong) |
Changed in keystone: | |
assignee: | wanghong (w-wanghong) → nobody |
tags: | removed: icehouse-backport-potential |
tags: | removed: juno-backport-potential |
I think the docs are correct since it states that the user is not allowed to get a token, but, I'm not sure if granting a role should be authorized or not (which is not what the docs are saying).