← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1524562] Re: No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id

 

Reviewed:  https://review.openstack.org/256889
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5560c7060dcc906b07080c44511551c45172ecf0
Submitter: Jenkins
Branch:    master

commit 5560c7060dcc906b07080c44511551c45172ecf0
Author: Thomas Hsiao <thomas.hsiao@xxxxxx>
Date:   Fri Dec 11 15:55:19 2015 -0800

    Validate domain for DB-based domain config. CRUD
    
    For CRUD of Identity API-based domain-specific driver configuration
    in database store, if the client provides an invalid domain id,
    the request shall be rejected with a response 404 domain not found.
    
    Change-Id: I9e861d450da1a49d31bac08bea12a0e2e84c6476
    Closes-Bug: 1524562


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524562

Title:
  No error raised if PUT/GET/PATCH/DELETE  domain-specific driver
  configuration database store with an invalid domain id

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
  configuration with a invalid domain id:

  For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
  For example, a user can create config options using an invalid domain id (123456789) as shown below:

  ~$ curl -s \
  >   -H "X-Auth-Token: ADMIN" \
  >   -H "Content-Type: application/json" \
  >   -d '
  > {
  >    "config":{
  >       "identity":{
  >          "driver":"ldap"
  >       },
  >       "ldap":{
  >          .........
  >          "tls_req_cert":"demand",
  >          "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
  >          "group_allow_update":"False"
  >       }
  >    }
  > } ' \
  >   -XPUT "http://localhost:35357/v3/domains/123456789/config/";

  {"config": {"identity": {"driver":
  "keystone.identity.backends.ldap.Identity"}, "ldap":
  {"user_allow_update": "False", ........"user_name_attribute": "cn",
  "use_pool": "True", "user_objectclass": "posixAccount",
  "group_id_attribute": "gidNumber", "user_allow_create": "False",
  "tls_req_cert": "demand".......}}}

  Once the config options created in the database, the user can even use
  this invalid domain id to get/update/delete the config options, an
  example as shown below:

  ~$ curl -k -H "X-Auth-Token:ADMIN"
  http://localhost:35357/v3/domains/123456789/config/

  {"config": {"identity": {"driver":
  "keystone.identity.backends.ldap.Identity"}, "ldap":
  {"user_allow_update": "False", "group_allow_delete": "False",
  "group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
  "group_allow_update": "False".......}}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524562/+subscriptions


References