keystone/releasenotes/notes/bug-1855080-08b28181b7cb247...

24 lines
1.2 KiB
YAML

---
critical:
- |
[`bug 1855080 <https://bugs.launchpad.net/keystone/+bug/1855080>`_]
An error in the policy target filtering inadvertently allowed any user to
list any credential object with the /v3/credentials API when
``[oslo_policy]/enforce_scope`` was set to false, which is the default.
This has been addressed: users with non-admin roles on a project may not
list other users' credentials. However, users with the admin role on a
project may still list any users credentials when
``[oslo_policy]/enforce_scope`` is false due to `bug 968696
<https://bugs.launchpad.net/keystone/+bug/968696>`_.
security:
- |
[`bug 1855080 <https://bugs.launchpad.net/keystone/+bug/1855080>`_]
An error in the policy target filtering inadvertently allowed any user to
list any credential object with the /v3/credentials API when
``[oslo_policy]/enforce_scope`` was set to false, which is the default.
This has been addressed: users with non-admin roles on a project may not
list other users' credentials. However, users with the admin role on a
project may still list any users credentials when
``[oslo_policy]/enforce_scope`` is false due to `bug 968696
<https://bugs.launchpad.net/keystone/+bug/968696>`_.