f5f42edb26
Recent changes tidied up the v3 sample policy, but unfortunately this introduced a defect that meant a domain admin could create roles on other domains. In addition, in an attempt to simplify the policies, these changes increased the risk of a user being able to spoof the policy by using bogus url options. This patch fixes these issues. Limitations: - The current code + policy does not prevent a domain admin updating the domain_id of a user/group/project to some other domain. Ideally we would prevent this via policy, but this requires an enhancement to our policy engine (to be be able to check for existance of a member in an object). Such a change of domain_id is, with this patch, at least now benign - since if the user acting as domain admin does not have a role on the new domain, then there is nothing they can do. A separate bug (1291393) has been raised for this. Closes-Bug: 1287219 Change-Id: I9d4380ac8586b2af0d7ba945ae5e38cc0d2adbd5 |
||
|---|---|---|
| .. | ||
| default_catalog.templates | ||
| keystone-paste.ini | ||
| keystone.conf.sample | ||
| logging.conf.sample | ||
| policy.json | ||
| policy.v3cloudsample.json | ||