OpenStack Identity (keystone)

Identity authentication does not check if user is enabled

Bug #1028563 reported by Sean McMurray on 2012-07-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	High	Unassigned

Bug Description

I don't see where sql, pam, or ldap check the enabled status of a user when authenticating.

Joseph Heck (heckj) on 2012-07-24

Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Adam Young (ayoung) wrote on 2012-07-24:

Done during authenticate:

https://github.com/openstack/keystone/blob/master/keystone/service.py#L284
https://github.com/openstack/keystone/blob/master/keystone/service.py#L328

Joseph Heck (heckj) on 2012-07-24

Changed in keystone:
status:	Triaged → Invalid
security vulnerability:	yes → no
visibility:	private → public

Revision history for this message

shwinpiocess (shwinpiocess) wrote on 2012-07-27:

service.py
line 276 # If the user is disabled don't allow them to authenticate
277 if not user_ref.get('enabled', True):
278 raise exception.Forbidden(message='User has been disabled')

Revision history for this message

Dolph Mathews (dolph) wrote on 2012-07-30:

I feel it necessary to ask the obvious -- were you actually able to authenticate as a disabled user or were you just looking through code?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.