Public bug reported:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
For domain-specific driver configuration database store, Identity API creates
the configuration options into the database even though the provided domain id
is the the request url is invalid.
For example, a user can create config options using an invalid domain id
(123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/";
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
** Affects: keystone
Importance: Undecided
Assignee: Thomas Hsiao (thomas-hsiao)
Status: New
** Summary changed:
- No error raised if PUT/GET/PATCH/DELETE sql-based domain driver configuration
with a invalid domain id
+ No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration
database store with an invalid domain id
** Description changed:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
- For domain-specific driver configuration database store, Identity API creates
the configuration options into the database even when the provided domain id is
the url is invalid.
+ For domain-specific driver configuration database store, Identity API creates
the configuration options into the database even though the provided domain id
is the the request url is invalid.
For example, a user can create config options using an invalid domain id
(123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/";
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
** Changed in: keystone
Assignee: (unassigned) => Thomas Hsiao (thomas-hsiao)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524562
Title:
No error raised if PUT/GET/PATCH/DELETE domain-specific driver
configuration database store with an invalid domain id
Status in OpenStack Identity (keystone):
New
Bug description:
No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
configuration with a invalid domain id:
For domain-specific driver configuration database store, Identity API creates
the configuration options into the database even though the provided domain id
is the the request url is invalid.
For example, a user can create config options using an invalid domain id
(123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/";
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", ........"user_name_attribute": "cn",
"use_pool": "True", "user_objectclass": "posixAccount",
"group_id_attribute": "gidNumber", "user_allow_create": "False",
"tls_req_cert": "demand".......}}}
Once the config options created in the database, the user can even use
this invalid domain id to get/update/delete the config options, an
example as shown below:
~$ curl -k -H "X-Auth-Token:ADMIN"
http://localhost:35357/v3/domains/123456789/config/
{"config": {"identity": {"driver":
"keystone.identity.backends.ldap.Identity"}, "ldap":
{"user_allow_update": "False", "group_allow_delete": "False",
"group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......,
"group_allow_update": "False".......}}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524562/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
