yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Summary changed:

- Token authentication for a user in a disabled tenant does not raise Unauthorized error
+ [OSSA 2012-016]Token authentication for a user in a disabled tenant does not raise Unauthorized error

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Russell Bryant (russellb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/988920

Title:
  [OSSA 2012-016]Token authentication for a user in a disabled tenant
  does not raise Unauthorized error

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “keystone” package in Ubuntu:
  Fix Released
Status in “keystone” source package in Precise:
  Fix Released

Bug description:
  Scenario: Token authentication for a user belonging to a disable
  tenant should not be allowed.

  Steps:
  1. Create a tenant and a user for the tenant
  2. Disable the tenant
  3. Request token authentication (POST) for the user and tenant
  Eg: {
           "auth": {
                    "tenantName": "disabled_tenant", 
                    "passwordCredentials": {
                                                    "username": "test_user1", 
                                                    "password": "password"
                       }
            }
      }

  Expected Status: HTTP 401 Unauthorized
  Actual Status: HTTP 200 OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions