yahoo-eng-team team mailing list archive
  
  - 
     yahoo-eng-team team yahoo-eng-team team
- 
    Mailing list archive
  
- 
    Message #29473
  
 [Bug 1315556] Re: Disabling a domain does not disable the projects in that domain
  
** Changed in: keystone/icehouse
       Status: Fix Committed => Fix Released
-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1315556
Title:
  Disabling a domain does not disable the projects in that domain
Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone icehouse series:
  Fix Released
Bug description:
  User from an enabled domain can still get a token scoped to a project
  in a disabled domain.
  Steps to reproduce.
  1. create domains "domainA" and "domainB"
  2. create user "userA" and project "projectA" in "domainA"
  3. create user "userB" and project "projectB" in "domainB"
  4. assign "userA" some role for "projectB"
  5. disable "domainB"
  6. authenticate to get a  token for "userA" scoped to "projectB". This should fail as "projectB"'s domain ("domainB") is disabled.
  Looks like the fix would be the check for the project domain to make
  sure it is also enabled. See
  https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L112
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1315556/+subscriptions
References