yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #43124
[Bug 1524562] [NEW] No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id
Public bug reported:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/";
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
** Affects: keystone
Importance: Undecided
Assignee: Thomas Hsiao (thomas-hsiao)
Status: New
** Summary changed:
- No error raised if PUT/GET/PATCH/DELETE sql-based domain driver configuration with a invalid domain id
+ No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id
** Description changed:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
- For domain-specific driver configuration database store, Identity API creates the configuration options into the database even when the provided domain id is the url is invalid.
+ For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/";
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
** Changed in: keystone
Assignee: (unassigned) => Thomas Hsiao (thomas-hsiao)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524562
Title:
No error raised if PUT/GET/PATCH/DELETE domain-specific driver
configuration database store with an invalid domain id
Status in OpenStack Identity (keystone):
New
Bug description:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/";
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524562/+subscriptions
Follow ups
