keystone/etc
Henry Nash f5f42edb26 Ensure v3policysample correctly limits domain_admin access
Recent changes tidied up the v3 sample policy, but unfortunately this
introduced a defect that meant a domain admin could create roles on
other domains.  In addition, in an attempt to simplify the policies,
these changes increased the risk of a user being able to spoof the
policy by using bogus url options. This patch fixes these issues.

Limitations:
- The current code + policy does not prevent a domain admin updating the
  domain_id of a user/group/project to some other domain.  Ideally we
  would prevent this via policy, but this requires an enhancement
  to our policy engine (to be be able to check for existance of a member
  in an object).  Such a change of domain_id is, with this patch, at
  least now benign - since if the user acting as domain admin does not
  have a role on the new domain, then there is nothing they can do. A
  separate bug (1291393) has been raised for this.

Closes-Bug: 1287219

Change-Id: I9d4380ac8586b2af0d7ba945ae5e38cc0d2adbd5
2014-03-15 10:02:07 +00:00
..
default_catalog.templates rename templated.TemplatedCatalog to templated.Catalog 2014-01-16 08:18:15 -06:00
keystone-paste.ini V3 xml responses should use v3 namespace. 2014-03-06 15:21:17 +08:00
keystone.conf.sample Update sample config 2014-03-12 14:00:02 -05:00
logging.conf.sample Generate apache-style common access logs 2013-01-31 08:16:21 -06:00
policy.json Token Revocation Extension 2014-03-04 13:42:28 -05:00
policy.v3cloudsample.json Ensure v3policysample correctly limits domain_admin access 2014-03-15 10:02:07 +00:00