possible to grant role to user on domain/project when this domain/user was disabled
Bug #1401040 reported by
Wei Xiaoli
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Unassigned | ||
Bug Description
when domain/user was disabled, we still can grant role to user on domain/project, but doc shows these operations should not be allowed.
see doc: http://
{
...
Setting this attribute to false prevents users from authorizing against this domain or any projects owned by this domain, and prevents users owned by this domain from authenticating or receiving any other authorization. Additionally, all pre-existing tokens applicable to the above entities are immediately invalidated. Re-enabling a domain does not re-enable pre-existing tokens.
}
(morganfainberg): It is likely the documentation should be updated as well to make the expected behavior a bit more clear.
Revision history for this message
| Rodrigo Duarte (rodrigodsousa) wrote | #1 |
Revision history for this message
| Wei Xiaoli (xiao-li-wei) wrote | #2 |
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote | #3 |
| summary: |
- documents show we can't grant role to user on domain/project when this - domain/user was disabled, but we actually do these operation, please - correct the content of documents. + possible to grant role to user on domain/project when this domain/user + was disabled |
| tags: | added: icehouse-backport-potential juno-backport-potential |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| description: | updated |
Revision history for this message
| Wei Xiaoli (xiao-li-wei) wrote | #4 |
| Changed in keystone: | |
| assignee: | nobody → wanghong (w-wanghong) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #5 |
| Changed in keystone: | |
| status: | New → In Progress |
Revision history for this message
| Brant Knudson (blk-u) wrote | #6 |
Revision history for this message
| wanghong (w-wanghong) wrote | #7 |
Revision history for this message
| wanghong (w-wanghong) wrote | #8 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on keystone (master) | #9 |
| Changed in keystone: | |
| assignee: | wanghong (w-wanghong) → nobody |
| tags: | removed: icehouse-backport-potential |
| tags: | removed: juno-backport-potential |
Revision history for this message
| Steve Martinelli (stevemar) wrote | #10 |
| Changed in keystone: | |
| status: | In Progress → Won't Fix |
Revision history for this message
| Henry Nash (henry-nash) wrote | #11 |
To post a comment you must log in.
I think the docs are correct since it states that the user is not allowed to get a token, but, I'm not sure if granting a role should be authorized or not (which is not what the docs are saying).