Disabling a domain has no effect

Bug #1100145 reported by Dolph Mathews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Dolph Mathews

Bug Description

According to the spec[1], disabling a domain should disable containing projects and users. This does not appear to be the case.

[1]: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#domains-v3domains

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/19787

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote :

We determined the above assertion to be incorrect in code review; I'm proposing a corresponding spec change: https://review.openstack.org/#/c/20137/

Instead, disabling a domain will still result in relevant token revocation, and service-side authentication will need to check both the user's domain and the authorized project's domain for a disabled state prior to allowing auth.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/19787
Committed: http://github.com/openstack/keystone/commit/02da3afe4df65b8c469ceb430ca34dab83d6451c
Submitter: Jenkins
Branch: master

commit 02da3afe4df65b8c469ceb430ca34dab83d6451c
Author: Dolph Mathews <email address hidden>
Date: Tue Jan 15 23:48:31 2013 -0600

    Enable/disable domains (bug 1100145)

    Disabling an individual domain denies auth to users and projects owned by
    that domain, and revokes all associated tokens. Re-enabling the domain
    does not re-enable tokens.

    Change-Id: Ic64f59be4f39317f4c365bec185408e79d18c45f

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.