Add group_members_are_ids to whitelisted options

This patch addresses a bug and adds group_members_are_ids to the whitelist to allow for use in `keystone-manage domain_config_upload` Change-Id: Ifa8d0d723e90be16888859bfa2b0804a0b183877 Closes-Bug: 1670382
2017-03-06 17:08:42 +00:00 · 2017-03-06 17:08:42 +00:00 · 53a47b779e
commit 53a47b779e
parent 2da47afd8b
2 changed files with 17 additions and 5 deletions
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@ -891,6 +891,11 @@ class DomainConfigManager(manager.Manager):

    driver_namespace = 'keystone.resource.domain_config'

+    # We explicitly state each whitelisted option instead of pulling all ldap
+    # options from CONF and selectively pruning them to prevent a security
+    # lapse. That way if a new ldap CONF key/value were to be added it wouldn't
+    # automatically be added to the whitelisted options unless that is what was
+    # intended. In which case, we explicitly add it to the list ourselves.
    whitelisted_options = {
        'identity': ['driver', 'list_limit'],
        'ldap': [
@ -906,11 +911,11 @@ class DomainConfigManager(manager.Manager):
            'user_enabled_emulation_use_group_config',
            'user_additional_attribute_mapping', 'group_tree_dn',
            'group_filter', 'group_objectclass', 'group_id_attribute',
-            'group_name_attribute', 'group_member_attribute',
-            'group_desc_attribute', 'group_attribute_ignore',
-            'group_additional_attribute_mapping', 'tls_cacertfile',
-            'tls_cacertdir', 'use_tls', 'tls_req_cert', 'use_pool',
-            'pool_size', 'pool_retry_max', 'pool_retry_delay',
+            'group_name_attribute', 'group_members_are_ids',
+            'group_member_attribute', 'group_desc_attribute',
+            'group_attribute_ignore', 'group_additional_attribute_mapping',
+            'tls_cacertfile', 'tls_cacertdir', 'use_tls', 'tls_req_cert',
+            'use_pool', 'pool_size', 'pool_retry_max', 'pool_retry_delay',
            'pool_connection_timeout', 'pool_connection_lifetime',
            'use_auth_pool', 'auth_pool_size', 'auth_pool_connection_lifetime'
        ]
--- a/releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml
+++ b/releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - >
+    [`bug 1670382 <https://bugs.launchpad.net/keystone/+bug/1670382>`_]
+    The ldap config group_members_are_ids has been added to the whitelisted
+    options allowing it to now be used in the domain config API and
+    `keystone-manage domain_config_upload`