OpenStack Identity (keystone)

Changing resource's domain_id should not be possible

Bug #1479452 reported by Henrique Truta
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Henrique Truta

Bug Description

Changing a resource's domain_id, specially a project, is not something we want, as discussed at the last topic of: http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-07-21-18.01.log.html

This could cause some security problems as well as hierarchy's inconsistency, once it'll require the whole hierarchy to be changed, when changing a parent project's domain_id.

We shall deprecate the 'domain_id_immutable' property (https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L66) to remove it in the future and for now, show a warning if it is set false.

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/207218

Changed in keystone:
assignee: nobody → Henrique Truta (henriquetruta)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/230042
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=54e5bfacb2ad117965a55ba920a9f9668806d2c3
Submitter: Jenkins
Branch: master

commit 54e5bfacb2ad117965a55ba920a9f9668806d2c3
Author: henriquetruta <email address hidden>
Date: Thu Oct 1 14:51:09 2015 -0300

    Improving domain_id update tests

    Improves the tests of domain_id update of groups, users and projects.
    These tests did not check whether the domain_id was correctly updated,
    just performed the update operation.

    Related-bug: 1479452

    Change-Id: I34f15298a6a5593a660bee467964be682d616efc

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/207218
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=27c4cbc9f7565ee978525de0053a1ae5f15de633
Submitter: Jenkins
Branch: master

commit 27c4cbc9f7565ee978525de0053a1ae5f15de633
Author: henriquetruta <email address hidden>
Date: Wed Jul 29 17:49:32 2015 -0300

    Restricting domain_id update

    Restricts the update of a domain_id for a project, (even with the
    'domain_id_immutable' property set to False), allowing it only for
    root projects that have no children of its own. The update of the
    domain_id of a project that has the is_domain field set True is not
    allowed either. The update of this property may cause projects hierarchy
    inconsistency and security issues.
    This patch also sets the 'domain_id_immutable' as deprecated and emits
    a WARN in case it is set False, when updating the domain_id of
    users, groups or projects.

    Closes-bug: 1479452
    Related-bug: 1502157

    Change-Id: Ib53f2173d4e4694d7ed2ecd330878664f8199371

Changed in keystone:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.