Reviewed: https://review.openstack.org/256889 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5560c7060dcc906b07080c44511551c45172ecf0 Submitter: Jenkins Branch: master
commit 5560c7060dcc906b07080c44511551c45172ecf0 Author: Thomas Hsiao <thomas.hs...@hp.com> Date: Fri Dec 11 15:55:19 2015 -0800 Validate domain for DB-based domain config. CRUD For CRUD of Identity API-based domain-specific driver configuration in database store, if the client provides an invalid domain id, the request shall be rejected with a response 404 domain not found. Change-Id: I9e861d450da1a49d31bac08bea12a0e2e84c6476 Closes-Bug: 1524562 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1524562 Title: No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id Status in OpenStack Identity (keystone): Fix Released Bug description: No error raised if PUT/GET/PATCH/DELETE sql-based domain driver configuration with a invalid domain id: For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid. For example, a user can create config options using an invalid domain id (123456789) as shown below: ~$ curl -s \ > -H "X-Auth-Token: ADMIN" \ > -H "Content-Type: application/json" \ > -d ' > { > "config":{ > "identity":{ > "driver":"ldap" > }, > "ldap":{ > ......... > "tls_req_cert":"demand", > "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com", > "group_allow_update":"False" > } > } > } ' \ > -XPUT "http://localhost:35357/v3/domains/123456789/config/" {"config": {"identity": {"driver": "keystone.identity.backends.ldap.Identity"}, "ldap": {"user_allow_update": "False", ........"user_name_attribute": "cn", "use_pool": "True", "user_objectclass": "posixAccount", "group_id_attribute": "gidNumber", "user_allow_create": "False", "tls_req_cert": "demand".......}}} Once the config options created in the database, the user can even use this invalid domain id to get/update/delete the config options, an example as shown below: ~$ curl -k -H "X-Auth-Token:ADMIN" http://localhost:35357/v3/domains/123456789/config/ {"config": {"identity": {"driver": "keystone.identity.backends.ldap.Identity"}, "ldap": {"user_allow_update": "False", "group_allow_delete": "False", "group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......, "group_allow_update": "False".......}}} To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1524562/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp