Domain data remains in DB after domain is deleted
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
In Progress
|
Medium
|
Ajaya Agrawal | ||
Bug Description
Hi, I am wondering if the following is a security vulnerability.
Steps:
1. domain1 is created.
+------
| Field | Value |
+------
| enabled | True |
| id | 4d6d19ae738c4a5
| links | {u'self': u'http://
| name | domain1 |
+------
2. domain1 is disabled
3. group1 is created on another domain
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| id | ac91ca33665241c
| links | {u'self': u'http://
| name | group1 |
+------
4. role1 is granted to group1 for domain1
+------
| Role | User | Group | Project | Domain |
+------
| 9fe2ff9ee4384b1
| 1682a8d5ad6546c
+------
5. domain1 is deleted
6. role1 is still granted to group1 for domain1
+------
| Role | User | Group | Project | Domain |
+------
| 9fe2ff9ee4384b1
| 1682a8d5ad6546c
+------
Since, domain id is created using uuid, in case of a domain id collision when a new domain is created, (new domain's id is exactly '4d6d19ae738c4a
Thank you
| Dolph Mathews (dolph) wrote | #1 |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Changed in keystone: | |
| assignee: | nobody → wanghong (w-wanghong) |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #2 |
| Changed in keystone: | |
| status: | Triaged → In Progress |
| Henry Nash (henry-nash) wrote | #3 |
| Changed in keystone: | |
| assignee: | wanghong (w-wanghong) → Adam Young (ayoung) |
| Changed in keystone: | |
| assignee: | Adam Young (ayoung) → Ajaya Agrawal (ajayaa) |
| Samuel de Medeiros Queiroz (samueldmq) wrote | #4 |
Yes, it will... but the odds of that happening are so astronomically low that we don't consider it to be a vulnerability so much as something we need to work better to clean up (orphaned data).