yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1401040] Re: possible to grant role to user on domain/project when this domain/user was disabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <stevemar@xxxxxxxxxx>
Date: Sun, 21 Feb 2016 06:59:05 -0000
Reply-to: Bug 1401040 <1401040@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Adding a role to a disabled user/group should be fine. Authentication
will still fail for the user if she is disabled or the project is
disabled.

** Changed in: keystone
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1401040

Title:
  possible to grant role to user on domain/project when this domain/user
  was disabled

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  when domain/user was disabled, we still can grant role to user on
  domain/project, but doc shows these operations should not be allowed.

  see doc: http://docs.openstack.org/api/openstack-identity-service/3/content/domains-v3domains.html
  {
  ...
  Setting this attribute to false prevents users from authorizing against this domain or any projects owned by this domain, and prevents users owned by this domain from authenticating or receiving any other authorization. Additionally, all pre-existing tokens applicable to the above entities are immediately invalidated. Re-enabling a domain does not re-enable pre-existing tokens.
  }

  (morganfainberg): It is likely the documentation should be updated as
  well to make the expected behavior a bit more clear.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1401040/+subscriptions

References

[Bug 1401040] [NEW] documents show we can't grant role to user on domain/project when this domain/user was disabled, but we actually do these operation, please correct the content of documents.
From: Wei Xiaoli, 2014-12-10