yahoo-eng-team team mailing list archive

[Henry Nash <henryn@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

The Keystone V2 API is not mean to be able to "see" any user, groups or
projects outside of the default domain.  APIs that list these entities
are careful to filter out any that are in non-default-domains.  However,
if you know your entity ID we don't prevent you from doing direct lookup
-  i.e.. Get /users/<user_id> will work via the V2 API even if the user
is out side of the default domain.  The same is true for projects.
Since the V2 API does not have the concept of groups, there is no issue
in that case.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1516226

Title:
  Keystone V2 User API can access users outside of the default domain

Status in OpenStack Identity (keystone):
  New

Bug description:
  The Keystone V2 API is not mean to be able to "see" any user, groups
  or projects outside of the default domain.  APIs that list these
  entities are careful to filter out any that are in non-default-
  domains.  However, if you know your entity ID we don't prevent you
  from doing direct lookup -  i.e.. Get /users/<user_id> will work via
  the V2 API even if the user is out side of the default domain.  The
  same is true for projects.  Since the V2 API does not have the concept
  of groups, there is no issue in that case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1516226/+subscriptions