The v2 API is not domain aware, and so the default domain serves to
provide an implicit domain scope for v2 API clients. If a v3 token with
a user (or project scope) outside the default domain is validated by the
v2 API, the user (or project) reference may result in a collision due to
the namespacing provided by domains.
This patch provides validation that the references being returned to the
v2 API are in fact in the default domain, and thus cannot result in
namespace collisions.
Conflicts:
- keystone/tests/unit/test_v3_auth.py: A readability refactor has landed
in master. Those changes have not been backported to stable/kilo.
Reviewed: https:/ /review. openstack. org/213216 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=9dfad212012 51364c6d205e8e7 9813bfe78e6107
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit 9dfad2120125136 4c6d205e8e79813 bfe78e6107
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 31 20:31:54 2015 +0000
Validate domain ownership for v2 tokens
The v2 API is not domain aware, and so the default domain serves to
provide an implicit domain scope for v2 API clients. If a v3 token with
a user (or project scope) outside the default domain is validated by the
v2 API, the user (or project) reference may result in a collision due to
the namespacing provided by domains.
This patch provides validation that the references being returned to the
v2 API are in fact in the default domain, and thus cannot result in
namespace collisions.
Conflicts:
- keystone/ tests/unit/ test_v3_ auth.py: A readability refactor has landed
in master. Those changes have not been backported to stable/kilo.
Change-Id: Ia75c260485b2cf f3cd6cf5cf39c0e c715b99df10 555f6b4d9098cd7 db6c540b1c4 03ff591dd132c90 24549eff10)
Depends-On: Ia7ca08bca612b4
Closes-Bug: 1475762
Closes-Bug: 1483382
(cherry picked from commit c4723550aa95be4