Make domain_id immutable by default

We already allow the domain_id in User, Group and Project entities
to be made immutable by use of a config option.  By default, however,
the domain_id is mutable.

This patch switches this so that the domain_id is immutable by default.
Although this changes existing functionality, it is felt that since
nearly all non-trivial production implementations that use domains
are going to want to restrict domain admin personas with a suitable
policy file, leaving the domain_id mutable by default represents a
potential vunerability that could be exploited.

Closes-Bug: 1294293

Change-Id: I0cb9fd4dc520d0a15bf54f4d138a3794d0ccd1d9
This commit is contained in:
Henry Nash 2014-03-19 11:21:36 +00:00
parent a1dc3ad5c8
commit 31c2634488
3 changed files with 27 additions and 27 deletions

@ -98,13 +98,13 @@
# appropriate section (e.g. [assignment]). (integer value)
#list_limit=<None>
# Set this to true if you want to disable the ability for
# Set this to false if you want to enable the ability for
# user, group and project entities to be moved between domains
# by updating their domain_id. This can be used to further
# restrict scope of a domain admin, in conjunction with an
# appropriate policy file (see policy.v3cloudsample as an
# example). (boolean value)
#domain_id_immutable=false
# by updating their domain_id. Allowing such movement is not
# recommended if the scope of a domain admin is being
# restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable=true
#

@ -109,14 +109,14 @@ FILE_OPTIONS = {
'global limit may be then overridden for a specific '
'driver, by specifying a list_limit in the '
'appropriate section (e.g. [assignment]).'),
cfg.BoolOpt('domain_id_immutable', default=False,
help='Set this to true if you want to disable the '
cfg.BoolOpt('domain_id_immutable', default=True,
help='Set this to false if you want to enable the '
'ability for user, group and project entities '
'to be moved between domains by updating their '
'domain_id. This can be used to further restrict '
'scope of a domain admin, in conjunction with an '
'appropriate policy file (see policy.v3cloudsample '
'as an example).')],
'domain_id. Allowing such movement is not '
'recommended if the scope of a domain admin is being '
'restricted by use of an appropriate policy file '
'(see policy.v3cloudsample as an example).')],
'identity': [
cfg.StrOpt('default_domain_id', default='default',
help='This references the domain to use for all '

@ -428,14 +428,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
project['domain_id'] = CONF.identity.default_domain_id
r = self.patch('/projects/%(project_id)s' % {
'project_id': project['id']},
body={'project': project})
self.assertValidProjectResponse(r, project)
self.config_fixture.config(domain_id_immutable=True)
body={'project': project},
expected_status=exception.ValidationError.code)
self.config_fixture.config(domain_id_immutable=False)
project['domain_id'] = self.domain['id']
r = self.patch('/projects/%(project_id)s' % {
'project_id': project['id']},
body={'project': project},
expected_status=exception.ValidationError.code)
body={'project': project})
self.assertValidProjectResponse(r, project)
def test_delete_project(self):
"""Call ``DELETE /projects/{project_id}``
@ -600,14 +600,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
user['domain_id'] = CONF.identity.default_domain_id
r = self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user})
self.assertValidUserResponse(r, user)
self.config_fixture.config(domain_id_immutable=True)
body={'user': user},
expected_status=exception.ValidationError.code)
self.config_fixture.config(domain_id_immutable=False)
user['domain_id'] = self.domain['id']
r = self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user},
expected_status=exception.ValidationError.code)
body={'user': user})
self.assertValidUserResponse(r, user)
def test_delete_user(self):
"""Call ``DELETE /users/{user_id}``.
@ -707,14 +707,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
group['domain_id'] = CONF.identity.default_domain_id
r = self.patch('/groups/%(group_id)s' % {
'group_id': group['id']},
body={'group': group})
self.assertValidGroupResponse(r, group)
self.config_fixture.config(domain_id_immutable=True)
body={'group': group},
expected_status=exception.ValidationError.code)
self.config_fixture.config(domain_id_immutable=False)
group['domain_id'] = self.domain['id']
r = self.patch('/groups/%(group_id)s' % {
'group_id': group['id']},
body={'group': group},
expected_status=exception.ValidationError.code)
body={'group': group})
self.assertValidGroupResponse(r, group)
def test_delete_group(self):
"""Call ``DELETE /groups/{group_id}``."""