It's possible to disable the default domain through domain update API

Bug #1522616 reported by Lance Bragstad on 2015-12-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Navid Pustchi

Bug Description

We currently forbid the ability of deleting the default domain [0] (or at least make it really hard to do so). There is nothing in the update domain flow that protects against disabling the default domain.

We should add the same check to prevent someone from accidentally disabling the default domain. Otherwise it just exposes the same behavior that we wanted to prevent in the first place.

I was able to recreate this with these steps -


description: updated
Steve Martinelli (stevemar) wrote :

makes sense to fix this, we can easily check that the domain being disabled isn't the same as the default domain option in the config file.

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Navid Pustchi (npustchi) on 2015-12-10
Changed in keystone:
assignee: nobody → Navid Pustchi (npustchi)

Fix proposed to branch: master

Changed in keystone:
status: Triaged → In Progress
Brant Knudson (blk-u) wrote :

why shouldn't I be able to disable the default domain?

Boris Bobrov (bbobrov) wrote :

++, I don't see any reason to forbid disabling the default domain

Guang Yee (guang-yee) wrote :

Yes agreed. You should be able to disable the default domain if you want to. Its just another domain. Nothing special about it.

Dolph Mathews (dolph) wrote :

We currently have code that forbids deleting the default domain.

Dolph Mathews (dolph) wrote :

And the only thing special about the default domain is that if you were to disable or delete it, the entire v2.0 API would be non-functional.

Lance Bragstad (lbragstad) wrote :

We discussed this a bit in the #openstack-keystone channel [0].

We can do one of two things, as a result of that conversation.

1.) We can continue with a way to make sure the default domain specified in the configuration file can't be disabled.

2.) We allow the disablement of the default domain, knowing and advertising that this will break the entire v2.0 api. The work-around can be added to re-enable the default domain, and this would have to live within the keystone-manage functionality. Something like `keystone-manage enable_default_domain` or whatever. This wouldn't be tied to authentication, because at the point where the default domain has been disabled, you won't be able to re-enable it operating within that domain.

Thoughts on these two options?


Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Reason: Abandoning in favor of

Submitter: Jenkins
Branch: master

commit 0354fe00db11984da3ce2ae4b4113a1043e6c86d
Author: Navid Pustchi <email address hidden>
Date: Wed Jan 6 20:31:28 2016 +0000

    Delete checks for default domain delete

    Currently defualt can not be deleted through update API.
    There are checks in update_domain to prevent this.

    This change deletes all checks and related tests for deleting
    the default domain, including new default domain and old
    default domain tests.

    Change-Id: I31a9cd7ac8c394b38038343f85f405080ca5f915
    Closes-Bug: 1522616

Changed in keystone:
status: In Progress → Fix Released
Changed in keystone:
milestone: none → mitaka-2

This issue was fixed in the openstack/keystone development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers