yahoo-eng-team team mailing list archive

[Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

An option is already provided to make the domain_id attribute in the
User, Group and Project entities immutable.  This can be used to prevent
a domain admin persona (as implemented by a suitable policy file such as
policy.v3cloudsample) from moving entities into domains for which they
do not have permission. The option of making the domain_id immutable is
controlled by a config option - and the default is that domain_id is
mutable.

In reality, almost all non-trivial production deployments will want to
prevent such a movement of entities.  Given this, we should therefore
make the domain_id immutable by default, even though this changes
functionality from previous versions.

** Affects: keystone
     Importance: High
     Assignee: Henry Nash (henry-nash)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1294293

Title:
  domain_id should be immutable by default

Status in OpenStack Identity (Keystone):
  New

Bug description:
  An option is already provided to make the domain_id attribute in the
  User, Group and Project entities immutable.  This can be used to
  prevent a domain admin persona (as implemented by a suitable policy
  file such as policy.v3cloudsample) from moving entities into domains
  for which they do not have permission. The option of making the
  domain_id immutable is controlled by a config option - and the default
  is that domain_id is mutable.

  In reality, almost all non-trivial production deployments will want to
  prevent such a movement of entities.  Given this, we should therefore
  make the domain_id immutable by default, even though this changes
  functionality from previous versions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1294293/+subscriptions