From e983c97d6fa5f1860fe6d22ab769b76c3b9ad590 Mon Sep 17 00:00:00 2001 From: Markus Hentsch <129268441+markus-hentsch@users.noreply.github.com> Date: Thu, 14 Dec 2023 10:47:29 +0100 Subject: [PATCH] Add reference to the upstream bug about list_domains endpoint (#409) Signed-off-by: Markus Hentsch --- Standards/scs-0302-v1-domain-manager-role.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Standards/scs-0302-v1-domain-manager-role.md b/Standards/scs-0302-v1-domain-manager-role.md index bbd9fed48..9a7eb8b7e 100644 --- a/Standards/scs-0302-v1-domain-manager-role.md +++ b/Standards/scs-0302-v1-domain-manager-role.md @@ -99,13 +99,15 @@ This means that by creating a new role and extending Keystone's API policy confi The approach described in this standard imposes the following limitations: -1. as a result of the "`identity:list_domains`" rule (see below), Domain Managers are able to see all domains via "`openstack domain list`" and can inspect the metadata of other domains with "`openstack domain show`" +1. as a result of the "`identity:list_domains`" rule (see below), Domain Managers are able to see all domains[^5] via "`openstack domain list`" and can inspect the metadata of other domains with "`openstack domain show`" 2. as a result of the "`identity:list_roles`" rule (see below), Domain Managers are able to see all roles via "`openstack role list`" and can inspect the metadata of other roles with "`openstack role show`" **As a result of points 1 and 2, metadata of all domains and roles will be exposed to all Domain Managers!** If a CSP deems either of these points critical, they may abstain from granting the Domain Manager role to users, effectively disabling the functionality. See [Impact](#impact). +[^5]: see the [corresponding Launchpad bug at Keystone](https://bugs.launchpad.net/keystone/+bug/2041611) + ## Decision A role named "`domain-manager`" is to be created via the Keystone API and the policy adjustments quoted below are to be applied.