From 53a47b779e19d4140f059666ee19483da9ca5ea6 Mon Sep 17 00:00:00 2001
From: Ubuntu <csravelar@gmail.com>
Date: Mon, 6 Mar 2017 17:08:42 +0000
Subject: [PATCH] Add group_members_are_ids to whitelisted options

This patch addresses a bug and adds group_members_are_ids to the
whitelist to allow for use in `keystone-manage domain_config_upload`

Change-Id: Ifa8d0d723e90be16888859bfa2b0804a0b183877
Closes-Bug: 1670382
---
 keystone/resource/core.py                         | 15 ++++++++++-----
 .../notes/bug-1670382-ee851ba4f364d608.yaml       |  7 +++++++
 2 files changed, 17 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml

diff --git a/keystone/resource/core.py b/keystone/resource/core.py
index 175ec6b93c..4d867ccc3f 100644
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@@ -891,6 +891,11 @@ class DomainConfigManager(manager.Manager):
 
     driver_namespace = 'keystone.resource.domain_config'
 
+    # We explicitly state each whitelisted option instead of pulling all ldap
+    # options from CONF and selectively pruning them to prevent a security
+    # lapse. That way if a new ldap CONF key/value were to be added it wouldn't
+    # automatically be added to the whitelisted options unless that is what was
+    # intended. In which case, we explicitly add it to the list ourselves.
     whitelisted_options = {
         'identity': ['driver', 'list_limit'],
         'ldap': [
@@ -906,11 +911,11 @@ class DomainConfigManager(manager.Manager):
             'user_enabled_emulation_use_group_config',
             'user_additional_attribute_mapping', 'group_tree_dn',
             'group_filter', 'group_objectclass', 'group_id_attribute',
-            'group_name_attribute', 'group_member_attribute',
-            'group_desc_attribute', 'group_attribute_ignore',
-            'group_additional_attribute_mapping', 'tls_cacertfile',
-            'tls_cacertdir', 'use_tls', 'tls_req_cert', 'use_pool',
-            'pool_size', 'pool_retry_max', 'pool_retry_delay',
+            'group_name_attribute', 'group_members_are_ids',
+            'group_member_attribute', 'group_desc_attribute',
+            'group_attribute_ignore', 'group_additional_attribute_mapping',
+            'tls_cacertfile', 'tls_cacertdir', 'use_tls', 'tls_req_cert',
+            'use_pool', 'pool_size', 'pool_retry_max', 'pool_retry_delay',
             'pool_connection_timeout', 'pool_connection_lifetime',
             'use_auth_pool', 'auth_pool_size', 'auth_pool_connection_lifetime'
         ]
diff --git a/releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml b/releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml
new file mode 100644
index 0000000000..31776ca1c9
--- /dev/null
+++ b/releasenotes/notes/bug-1670382-ee851ba4f364d608.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - >
+    [`bug 1670382 <https://bugs.launchpad.net/keystone/+bug/1670382>`_]
+    The ldap config group_members_are_ids has been added to the whitelisted
+    options allowing it to now be used in the domain config API and
+    `keystone-manage domain_config_upload`