Make domain_id immutable by default
We already allow the domain_id in User, Group and Project entities to be made immutable by use of a config option. By default, however, the domain_id is mutable. This patch switches this so that the domain_id is immutable by default. Although this changes existing functionality, it is felt that since nearly all non-trivial production implementations that use domains are going to want to restrict domain admin personas with a suitable policy file, leaving the domain_id mutable by default represents a potential vunerability that could be exploited. Closes-Bug: 1294293 Change-Id: I0cb9fd4dc520d0a15bf54f4d138a3794d0ccd1d9
This commit is contained in:
parent
a1dc3ad5c8
commit
31c2634488
@ -98,13 +98,13 @@
|
||||
# appropriate section (e.g. [assignment]). (integer value)
|
||||
#list_limit=<None>
|
||||
|
||||
# Set this to true if you want to disable the ability for
|
||||
# Set this to false if you want to enable the ability for
|
||||
# user, group and project entities to be moved between domains
|
||||
# by updating their domain_id. This can be used to further
|
||||
# restrict scope of a domain admin, in conjunction with an
|
||||
# appropriate policy file (see policy.v3cloudsample as an
|
||||
# example). (boolean value)
|
||||
#domain_id_immutable=false
|
||||
# by updating their domain_id. Allowing such movement is not
|
||||
# recommended if the scope of a domain admin is being
|
||||
# restricted by use of an appropriate policy file (see
|
||||
# policy.v3cloudsample as an example). (boolean value)
|
||||
#domain_id_immutable=true
|
||||
|
||||
|
||||
#
|
||||
|
@ -109,14 +109,14 @@ FILE_OPTIONS = {
|
||||
'global limit may be then overridden for a specific '
|
||||
'driver, by specifying a list_limit in the '
|
||||
'appropriate section (e.g. [assignment]).'),
|
||||
cfg.BoolOpt('domain_id_immutable', default=False,
|
||||
help='Set this to true if you want to disable the '
|
||||
cfg.BoolOpt('domain_id_immutable', default=True,
|
||||
help='Set this to false if you want to enable the '
|
||||
'ability for user, group and project entities '
|
||||
'to be moved between domains by updating their '
|
||||
'domain_id. This can be used to further restrict '
|
||||
'scope of a domain admin, in conjunction with an '
|
||||
'appropriate policy file (see policy.v3cloudsample '
|
||||
'as an example).')],
|
||||
'domain_id. Allowing such movement is not '
|
||||
'recommended if the scope of a domain admin is being '
|
||||
'restricted by use of an appropriate policy file '
|
||||
'(see policy.v3cloudsample as an example).')],
|
||||
'identity': [
|
||||
cfg.StrOpt('default_domain_id', default='default',
|
||||
help='This references the domain to use for all '
|
||||
|
@ -428,14 +428,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||
project['domain_id'] = CONF.identity.default_domain_id
|
||||
r = self.patch('/projects/%(project_id)s' % {
|
||||
'project_id': project['id']},
|
||||
body={'project': project})
|
||||
self.assertValidProjectResponse(r, project)
|
||||
self.config_fixture.config(domain_id_immutable=True)
|
||||
body={'project': project},
|
||||
expected_status=exception.ValidationError.code)
|
||||
self.config_fixture.config(domain_id_immutable=False)
|
||||
project['domain_id'] = self.domain['id']
|
||||
r = self.patch('/projects/%(project_id)s' % {
|
||||
'project_id': project['id']},
|
||||
body={'project': project},
|
||||
expected_status=exception.ValidationError.code)
|
||||
body={'project': project})
|
||||
self.assertValidProjectResponse(r, project)
|
||||
|
||||
def test_delete_project(self):
|
||||
"""Call ``DELETE /projects/{project_id}``
|
||||
@ -600,14 +600,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||
user['domain_id'] = CONF.identity.default_domain_id
|
||||
r = self.patch('/users/%(user_id)s' % {
|
||||
'user_id': user['id']},
|
||||
body={'user': user})
|
||||
self.assertValidUserResponse(r, user)
|
||||
self.config_fixture.config(domain_id_immutable=True)
|
||||
body={'user': user},
|
||||
expected_status=exception.ValidationError.code)
|
||||
self.config_fixture.config(domain_id_immutable=False)
|
||||
user['domain_id'] = self.domain['id']
|
||||
r = self.patch('/users/%(user_id)s' % {
|
||||
'user_id': user['id']},
|
||||
body={'user': user},
|
||||
expected_status=exception.ValidationError.code)
|
||||
body={'user': user})
|
||||
self.assertValidUserResponse(r, user)
|
||||
|
||||
def test_delete_user(self):
|
||||
"""Call ``DELETE /users/{user_id}``.
|
||||
@ -707,14 +707,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||
group['domain_id'] = CONF.identity.default_domain_id
|
||||
r = self.patch('/groups/%(group_id)s' % {
|
||||
'group_id': group['id']},
|
||||
body={'group': group})
|
||||
self.assertValidGroupResponse(r, group)
|
||||
self.config_fixture.config(domain_id_immutable=True)
|
||||
body={'group': group},
|
||||
expected_status=exception.ValidationError.code)
|
||||
self.config_fixture.config(domain_id_immutable=False)
|
||||
group['domain_id'] = self.domain['id']
|
||||
r = self.patch('/groups/%(group_id)s' % {
|
||||
'group_id': group['id']},
|
||||
body={'group': group},
|
||||
expected_status=exception.ValidationError.code)
|
||||
body={'group': group})
|
||||
self.assertValidGroupResponse(r, group)
|
||||
|
||||
def test_delete_group(self):
|
||||
"""Call ``DELETE /groups/{group_id}``."""
|
||||
|
Loading…
x
Reference in New Issue
Block a user