Add group_members_are_ids to whitelisted options

This patch addresses a bug and adds group_members_are_ids to the
whitelist to allow for use in `keystone-manage domain_config_upload`

Change-Id: Ifa8d0d723e90be16888859bfa2b0804a0b183877
Closes-Bug: 1670382
This commit is contained in:
Ubuntu 2017-03-06 17:08:42 +00:00
parent 2da47afd8b
commit 53a47b779e
2 changed files with 17 additions and 5 deletions

View File

@ -891,6 +891,11 @@ class DomainConfigManager(manager.Manager):
driver_namespace = 'keystone.resource.domain_config'
# We explicitly state each whitelisted option instead of pulling all ldap
# options from CONF and selectively pruning them to prevent a security
# lapse. That way if a new ldap CONF key/value were to be added it wouldn't
# automatically be added to the whitelisted options unless that is what was
# intended. In which case, we explicitly add it to the list ourselves.
whitelisted_options = {
'identity': ['driver', 'list_limit'],
'ldap': [
@ -906,11 +911,11 @@ class DomainConfigManager(manager.Manager):
'user_enabled_emulation_use_group_config',
'user_additional_attribute_mapping', 'group_tree_dn',
'group_filter', 'group_objectclass', 'group_id_attribute',
'group_name_attribute', 'group_member_attribute',
'group_desc_attribute', 'group_attribute_ignore',
'group_additional_attribute_mapping', 'tls_cacertfile',
'tls_cacertdir', 'use_tls', 'tls_req_cert', 'use_pool',
'pool_size', 'pool_retry_max', 'pool_retry_delay',
'group_name_attribute', 'group_members_are_ids',
'group_member_attribute', 'group_desc_attribute',
'group_attribute_ignore', 'group_additional_attribute_mapping',
'tls_cacertfile', 'tls_cacertdir', 'use_tls', 'tls_req_cert',
'use_pool', 'pool_size', 'pool_retry_max', 'pool_retry_delay',
'pool_connection_timeout', 'pool_connection_lifetime',
'use_auth_pool', 'auth_pool_size', 'auth_pool_connection_lifetime'
]

View File

@ -0,0 +1,7 @@
---
fixes:
- >
[`bug 1670382 <https://bugs.launchpad.net/keystone/+bug/1670382>`_]
The ldap config group_members_are_ids has been added to the whitelisted
options allowing it to now be used in the domain config API and
`keystone-manage domain_config_upload`