yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1294293] Re: domain_id should be immutable by default

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 26 Mar 2014 20:26:34 -0000
Reply-to: Bug 1294293 <1294293@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1294293

Title:
  domain_id should be immutable by default

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  An option is already provided to make the domain_id attribute in the
  User, Group and Project entities immutable.  This can be used to
  prevent a domain admin persona (as implemented by a suitable policy
  file such as policy.v3cloudsample) from moving entities into domains
  for which they do not have permission. The option of making the
  domain_id immutable is controlled by a config option - and the default
  is that domain_id is mutable.

  In reality, almost all non-trivial production deployments will want to
  prevent such a movement of entities.  Given this, we should therefore
  make the domain_id immutable by default, even though this changes
  functionality from previous versions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1294293/+subscriptions

References

[Bug 1294293] [NEW] domain_id should be immutable by default
From: Henry Nash, 2014-03-18