OpenStack Identity (keystone)

Disabling a domain has no effect

Bug #1100145 reported by Dolph Mathews on 2013-01-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Dolph Mathews	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

According to the spec[1], disabling a domain should disable containing projects and users. This does not appear to be the case.

[1]: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#domains-v3domains

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-16: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/19787

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-01-21:

We determined the above assertion to be incorrect in code review; I'm proposing a corresponding spec change: https://review.openstack.org/#/c/20137/

Instead, disabling a domain will still result in relevant token revocation, and service-side authentication will need to check both the user's domain and the authorized project's domain for a disabled state prior to allowing auth.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-29: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/19787
Committed: http://github.com/openstack/keystone/commit/02da3afe4df65b8c469ceb430ca34dab83d6451c
Submitter: Jenkins
Branch: master

commit 02da3afe4df65b8c469ceb430ca34dab83d6451c
Author: Dolph Mathews <email address hidden>
Date: Tue Jan 15 23:48:31 2013 -0600

Enable/disable domains (bug 1100145)

    Disabling an individual domain denies auth to users and projects owned by
    that domain, and revokes all associated tokens. Re-enabling the domain
    does not re-enable tokens.

Change-Id: Ic64f59be4f39317f4c365bec185408e79d18c45f

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-02-21

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-3 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.