Domain data remains in DB after domain is deleted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
In Progress
|
Medium
|
Ajaya Agrawal |
Bug Description
Hi, I am wondering if the following is a security vulnerability.
Steps:
1. domain1 is created.
+------
| Field | Value |
+------
| enabled | True |
| id | 4d6d19ae738c4a5
| links | {u'self': u'http://
| name | domain1 |
+------
2. domain1 is disabled
3. group1 is created on another domain
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| id | ac91ca33665241c
| links | {u'self': u'http://
| name | group1 |
+------
4. role1 is granted to group1 for domain1
+------
| Role | User | Group | Project | Domain |
+------
| 9fe2ff9ee4384b1
| 1682a8d5ad6546c
+------
5. domain1 is deleted
6. role1 is still granted to group1 for domain1
+------
| Role | User | Group | Project | Domain |
+------
| 9fe2ff9ee4384b1
| 1682a8d5ad6546c
+------
Since, domain id is created using uuid, in case of a domain id collision when a new domain is created, (new domain's id is exactly '4d6d19ae738c4a
Thank you
Changed in keystone: | |
assignee: | nobody → wanghong (w-wanghong) |
Changed in keystone: | |
assignee: | wanghong (w-wanghong) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Ajaya Agrawal (ajayaa) |
Yes, it will... but the odds of that happening are so astronomically low that we don't consider it to be a vulnerability so much as something we need to work better to clean up (orphaned data).