yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #43370
[Bug 1524562] Re: No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id
Reviewed: https://review.openstack.org/256889
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5560c7060dcc906b07080c44511551c45172ecf0
Submitter: Jenkins
Branch: master
commit 5560c7060dcc906b07080c44511551c45172ecf0
Author: Thomas Hsiao <thomas.hsiao@xxxxxx>
Date: Fri Dec 11 15:55:19 2015 -0800
Validate domain for DB-based domain config. CRUD
For CRUD of Identity API-based domain-specific driver configuration
in database store, if the client provides an invalid domain id,
the request shall be rejected with a response 404 domain not found.
Change-Id: I9e861d450da1a49d31bac08bea12a0e2e84c6476
Closes-Bug: 1524562
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524562
Title:
No error raised if PUT/GET/PATCH/DELETE domain-specific driver
configuration database store with an invalid domain id
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/"
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524562/+subscriptions
References