yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1516226] Re: Keystone V2 User API can access users outside of the default domain

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Mon, 01 Feb 2016 08:44:13 -0000
Reply-to: Bug 1516226 <1516226@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is the same basic issue as the behavior where you can auth with a
user outside the default domain if you know the id.

This is not something we can "fix" or "correct" without breaking past
behavior... deprecation and finally removal of V2 will be the solution
here.

** Changed in: keystone
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1516226

Title:
  Keystone V2 User API can access users outside of the default domain

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  The Keystone V2 API is not meant to be able to "see" any user, groups
  or projects outside of the default domain.  APIs that list these
  entities are careful to filter out any that are in non-default-
  domains.  However, if you know your entity ID we don't prevent you
  from doing direct lookup -  i.e.. Get /users/<user_id> will work via
  the V2 API even if the user is out side of the default domain.  The
  same is true for projects.  Since the V2 API does not have the concept
  of groups, there is no issue in that case.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1516226/+subscriptions

References

[Bug 1516226] [NEW] Keystone V2 User API can access users outside of the default domain
From: Henry Nash, 2015-11-14