OpenStack Identity (keystone)

  1. Bug #1483382
  2. Comment #7

Comment 7 for bug 1483382

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/kilo)

Reviewed: https://review.openstack.org/213216
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9dfad21201251364c6d205e8e79813bfe78e6107
Submitter: Jenkins
Branch: stable/kilo

commit 9dfad21201251364c6d205e8e79813bfe78e6107
Author: Dolph Mathews <email address hidden>
Date: Fri Jul 31 20:31:54 2015 +0000

    Validate domain ownership for v2 tokens

    The v2 API is not domain aware, and so the default domain serves to
    provide an implicit domain scope for v2 API clients. If a v3 token with
    a user (or project scope) outside the default domain is validated by the
    v2 API, the user (or project) reference may result in a collision due to
    the namespacing provided by domains.

    This patch provides validation that the references being returned to the
    v2 API are in fact in the default domain, and thus cannot result in
    namespace collisions.

    Conflicts:

    - keystone/tests/unit/test_v3_auth.py: A readability refactor has landed
      in master. Those changes have not been backported to stable/kilo.

    Change-Id: Ia75c260485b2cff3cd6cf5cf39c0ec715b99df10
    Depends-On: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4
    Closes-Bug: 1475762
    Closes-Bug: 1483382
    (cherry picked from commit c4723550aa95be403ff591dd132c9024549eff10)