yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19414
[Bug 1360391] [NEW] Domain data remains in DB after domain is deleted
Public bug reported:
Hi, I am wondering if the following is a security vulnerability.
Steps:
1. domain1 is created.
+---------+--------------------------------------------------------------------------------+
| Field | Value |
+---------+--------------------------------------------------------------------------------+
| enabled | True |
| id | 4d6d19ae738c4a56af6433206fa9755b |
| links | {u'self': u'http://0.0.0.0:35357/v3/domains/4d6d19ae738c4a56af6433206fa9755b'} |
| name | domain1 |
+---------+--------------------------------------------------------------------------------+
2. domain1 is disabled
3. group1 is created on another domain
+-------------+-------------------------------------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------------------------------------+
| description | |
| domain_id | default |
| id | ac91ca33665241c48b20d7f121d52ba0 |
| links | {u'self': u'http://0.0.0.0:35357/v3/groups/ac91ca33665241c48b20d7f121d52ba0'} |
| name | group1 |
+-------------+-------------------------------------------------------------------------------+
4. role1 is granted to group1 for domain1
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 935d2f23300f4effbfd9c258cd71b329 | | | default |
| 1682a8d5ad6546c9ab627c010d9caf00 | | ac91ca33665241c48b20d7f121d52ba0 | | 4d6d19ae738c4a56af6433206fa9755b |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
5. domain1 is deleted
6. role1 is still granted to group1 for domain1
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 935d2f23300f4effbfd9c258cd71b329 | | | default |
| 1682a8d5ad6546c9ab627c010d9caf00 | | ac91ca33665241c48b20d7f121d52ba0 | | 4d6d19ae738c4a56af6433206fa9755b |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
Since, domain id is created using uuid, in case of a domain id collision
when a new domain is created, (new domain's id is exactly
'4d6d19ae738c4a56af6433206fa9755b'), won't this give anyone whose's a
member of group1, role1 for the new domain?
Thank you
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1360391
Title:
Domain data remains in DB after domain is deleted
Status in OpenStack Identity (Keystone):
New
Bug description:
Hi, I am wondering if the following is a security vulnerability.
Steps:
1. domain1 is created.
+---------+--------------------------------------------------------------------------------+
| Field | Value |
+---------+--------------------------------------------------------------------------------+
| enabled | True |
| id | 4d6d19ae738c4a56af6433206fa9755b |
| links | {u'self': u'http://0.0.0.0:35357/v3/domains/4d6d19ae738c4a56af6433206fa9755b'} |
| name | domain1 |
+---------+--------------------------------------------------------------------------------+
2. domain1 is disabled
3. group1 is created on another domain
+-------------+-------------------------------------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------------------------------------+
| description | |
| domain_id | default |
| id | ac91ca33665241c48b20d7f121d52ba0 |
| links | {u'self': u'http://0.0.0.0:35357/v3/groups/ac91ca33665241c48b20d7f121d52ba0'} |
| name | group1 |
+-------------+-------------------------------------------------------------------------------+
4. role1 is granted to group1 for domain1
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 935d2f23300f4effbfd9c258cd71b329 | | | default |
| 1682a8d5ad6546c9ab627c010d9caf00 | | ac91ca33665241c48b20d7f121d52ba0 | | 4d6d19ae738c4a56af6433206fa9755b |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
5. domain1 is deleted
6. role1 is still granted to group1 for domain1
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 935d2f23300f4effbfd9c258cd71b329 | | | default |
| 1682a8d5ad6546c9ab627c010d9caf00 | | ac91ca33665241c48b20d7f121d52ba0 | | 4d6d19ae738c4a56af6433206fa9755b |
+----------------------------------+----------------------------------+----------------------------------+---------+----------------------------------+
Since, domain id is created using uuid, in case of a domain id
collision when a new domain is created, (new domain's id is exactly
'4d6d19ae738c4a56af6433206fa9755b'), won't this give anyone whose's a
member of group1, role1 for the new domain?
Thank you
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1360391/+subscriptions
Follow ups
References
