The v2 API is not domain aware, and so the default domain serves to
provide an implicit domain scope for v2 API clients. If a v3 token with
a user (or project scope) outside the default domain is validated by the
v2 API, the user (or project) reference may result in a collision due to
the namespacing provided by domains.
This patch provides validation that the references being returned to the
v2 API are in fact in the default domain, and thus cannot result in
namespace collisions.
Reviewed: https:/ /review. openstack. org/208069 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=c4723550aa9 5be403ff591dd13 2c9024549eff10
Committed: https:/
Submitter: Jenkins
Branch: master
commit c4723550aa95be4 03ff591dd132c90 24549eff10
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 31 20:31:54 2015 +0000
Validate domain ownership for v2 tokens
The v2 API is not domain aware, and so the default domain serves to
provide an implicit domain scope for v2 API clients. If a v3 token with
a user (or project scope) outside the default domain is validated by the
v2 API, the user (or project) reference may result in a collision due to
the namespacing provided by domains.
This patch provides validation that the references being returned to the
v2 API are in fact in the default domain, and thus cannot result in
namespace collisions.
Change-Id: Ia75c260485b2cf f3cd6cf5cf39c0e c715b99df10
Closes-Bug: 1475762
Closes-Bug: 1483382