yahoo-eng-team team mailing list archive

[Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Today we allow the domain_id in User, Group and Project entities to be
updated….effectively moving the entity between domains.  With today's
policy capability this represents a potential security hole if you are
trying to enforce strict domain admin type of roles.  We should allow a
cloud provider to disable this current update ability…and make the
domain_id attribute immutable in the same way we do for the id of the
entity.

** Affects: keystone
     Importance: High
     Assignee: Henry Nash (henry-nash)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1291393

Title:
  domain_id in User/Group/Project should be immutable

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Today we allow the domain_id in User, Group and Project entities to be
  updated….effectively moving the entity between domains.  With today's
  policy capability this represents a potential security hole if you are
  trying to enforce strict domain admin type of roles.  We should allow
  a cloud provider to disable this current update ability…and make the
  domain_id attribute immutable in the same way we do for the id of the
  entity.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1291393/+subscriptions