yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1479452] Re: Changing resource's domain_id should not be possible

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1479452@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Feb 2016 19:25:01 -0000
Reply-to: Bug 1479452 <1479452@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/207218
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=27c4cbc9f7565ee978525de0053a1ae5f15de633
Submitter: Jenkins
Branch:    master

commit 27c4cbc9f7565ee978525de0053a1ae5f15de633
Author: henriquetruta <henrique@xxxxxxxxxxxxxxx>
Date:   Wed Jul 29 17:49:32 2015 -0300

    Restricting domain_id update
    
    Restricts the update of a domain_id for a project, (even with the
    'domain_id_immutable' property set to False), allowing it only for
    root projects that have no children of its own. The update of the
    domain_id of a project that has the is_domain field set True is not
    allowed either. The update of this property may cause projects hierarchy
    inconsistency and security issues.
    This patch also sets the 'domain_id_immutable' as deprecated and emits
    a WARN in case it is set False, when updating the domain_id of
    users, groups or projects.
    
    Closes-bug: 1479452
    Related-bug: 1502157
    
    Change-Id: Ib53f2173d4e4694d7ed2ecd330878664f8199371


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1479452

Title:
  Changing resource's domain_id should not be possible

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Changing a resource's domain_id, specially a project, is not something
  we want, as discussed at the last topic of:
  http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-07-21-18.01.log.html

  This could cause some security problems as well as hierarchy's
  inconsistency, once it'll require the whole hierarchy to be changed,
  when changing a parent project's domain_id.

  We shall deprecate the 'domain_id_immutable' property
  (https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L66)
  to remove it in the future and for now,  show a warning if it is set
  false.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1479452/+subscriptions

References

[Bug 1479452] [NEW] Changing resource's domain_id should not be possible
From: Henrique Truta, 2015-07-29