OpenStack Identity (keystone)

No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id

Bug #1524562 reported by Thomas Hsiao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Thomas Hsiao
OpenStack Identity (keystone) mitaka-2 "m2"

Bug Description

No error raised if PUT/GET/PATCH/DELETE sql-based domain driver configuration with a invalid domain id:

For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:

~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/"

{"config": {"identity": {"driver": "keystone.identity.backends.ldap.Identity"}, "ldap": {"user_allow_update": "False", ........"user_name_attribute": "cn", "use_pool": "True", "user_objectclass": "posixAccount", "group_id_attribute": "gidNumber", "user_allow_create": "False", "tls_req_cert": "demand".......}}}

Once the config options created in the database, the user can even use this invalid domain id to get/update/delete the config options, an example as shown below:

~$ curl -k -H "X-Auth-Token:ADMIN" http://localhost:35357/v3/domains/123456789/config/

{"config": {"identity": {"driver": "keystone.identity.backends.ldap.Identity"}, "ldap": {"user_allow_update": "False", "group_allow_delete": "False", "group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......, "group_allow_update": "False".......}}}

See original description
Thomas Hsiao (thomas-hsiao)
summary: - No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
- configuration with a invalid domain id
+ No error raised if PUT/GET/PATCH/DELETE domain-specific driver
+ configuration database store with an invalid domain id
description: updated
Changed in keystone:
assignee: nobody → Thomas Hsiao (thomas-hsiao)
Revision history for this message
Steve Martinelli (stevemar) wrote :

Seems like an easy fix, just have a check to make sure the domain can be found in the backend:

https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L168

presently this doesn't happen:

    def create_domain_config(self, context, domain_id, config):
        original_config = (
            self.domain_config_api.get_config_with_sensitive_info(domain_id))
        ref = self.domain_config_api.create_config(domain_id, config)

There should be call like:

    self.resource_api.get_domain(domain_id)

before the any of the other work is performed.

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
milestone: none → mitaka-2
Revision history for this message
Thomas Hsiao (thomas-hsiao) wrote :

Hi Steve,
What do you think if we add domain id check for all cases of create/read/update/delete?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/256889

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Thomas Hsiao (thomas-hsiao) wrote :

Submitted for review:
https://review.openstack.org/#/c/256889/

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Thomas Hsiao (thomas-hsiao) → Guang Yee (guang-yee)
Thomas Hsiao (thomas-hsiao)
Changed in keystone:
assignee: Guang Yee (guang-yee) → Thomas Hsiao (thomas-hsiao)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/256889
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5560c7060dcc906b07080c44511551c45172ecf0
Submitter: Jenkins
Branch: master

commit 5560c7060dcc906b07080c44511551c45172ecf0
Author: Thomas Hsiao <email address hidden>
Date: Fri Dec 11 15:55:19 2015 -0800

    Validate domain for DB-based domain config. CRUD

    For CRUD of Identity API-based domain-specific driver configuration
    in database store, if the client provides an invalid domain id,
    the request shall be rejected with a response 404 domain not found.

    Change-Id: I9e861d450da1a49d31bac08bea12a0e2e84c6476
    Closes-Bug: 1524562

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thomas Hsiao (thomas-hsiao) wrote :

Could this fix backport to Liberty?

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.