yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1522616] [NEW] It's possible to disable the default domain through domain update API

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Thu, 03 Dec 2015 23:02:43 -0000
Reply-to: Bug 1522616 <1522616@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

We currently forbid the ability of deleting the default domain [0] (or
at least make it really hard to do so). There is nothing in the update
domain flow that protects against disabling the default domain.

We should add the same check to prevent someone from accidentally
disabling the default domain. Otherwise it just exposes the same
behavior that we wanted to prevent in the first place.

I was able to recreate this with these steps -
http://cdn.pasteraw.com/38uku7bb83dt4prj6f66hc9ccuft0ew

[0]
https://github.com/openstack/keystone/blob/45c19fcd8c4cc382a7471432cd9f72b809e1d5b1/keystone/resource/core.py#L526-L532

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  We currently forbid the ability of deleting the default domain [0] (or
  at least make it really hard to do so). There is nothing in the update
  domain flow that protects against disabling the default domain.
  
  We should add the same check to prevent someone from accidentally
  disabling the default domain. Otherwise it just exposes the same
  behavior that we wanted to prevent in the first place.
  
+ I was able to recreate this with these steps -
+ http://cdn.pasteraw.com/38uku7bb83dt4prj6f66hc9ccuft0ew
  
- [0] https://github.com/openstack/keystone/blob/45c19fcd8c4cc382a7471432cd9f72b809e1d5b1/keystone/resource/core.py#L526-L532
+ [0]
+ https://github.com/openstack/keystone/blob/45c19fcd8c4cc382a7471432cd9f72b809e1d5b1/keystone/resource/core.py#L526-L532

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1522616

Title:
  It's possible to disable the default domain through domain update API

Status in OpenStack Identity (keystone):
  New

Bug description:
  We currently forbid the ability of deleting the default domain [0] (or
  at least make it really hard to do so). There is nothing in the update
  domain flow that protects against disabling the default domain.

  We should add the same check to prevent someone from accidentally
  disabling the default domain. Otherwise it just exposes the same
  behavior that we wanted to prevent in the first place.

  I was able to recreate this with these steps -
  http://cdn.pasteraw.com/38uku7bb83dt4prj6f66hc9ccuft0ew

  [0]
  https://github.com/openstack/keystone/blob/45c19fcd8c4cc382a7471432cd9f72b809e1d5b1/keystone/resource/core.py#L526-L532

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1522616/+subscriptions

Follow ups

[Bug 1522616] Re: It's possible to disable the default domain through domain update API
From: OpenStack Infra, 2016-01-13