Open Stack

It also makes total sense to me.

A use should only be able to list their own organization's user and a
'superuser' should be able to see everything.

What Gema proposed sounds reasonable to me, as in ¡:

Regular user:

Full name+email+OpenID

For the regular user, maybe we'd also put the organizations as a
reminder, as it won't do any harm nor provide sensitive information, so
maybe we could just use the model

Full name+email+OpenID+Organizations

but limiting that to the user orgz.

Super user:

Full name+email+OpenID+Organizations

Thanks!

Daniel

El 16/03/16 a las 19:49, Egle Sigler escribió:
> I agree with Gema. User should not be able to see all other users' info,
> unless they have super-admin powers or are in the same organization.
> If the option is being able to see all users or none at all, I would
> default to none for regular users.
> 
> Thank you,
> Egle
> 
> 
> 
> 
>> To: defcore-committee at lists.openstack.org
>> From: gema.gomez-solano at canonical.com
>> Date: Wed, 16 Mar 2016 17:02:27 +0000
>> Subject: Re: [OpenStack-DefCore] [Security] List Users in RefStack
>>
>> In my opinion, listing users should work as follows:
>>
>> - Any user can list the users of the organizations (s)he belongs to.
>>
>> What data to list? Full name+email+OpenID
>>
>>
>> - Any Foundation (super-admin) user should be able to list everyone, and
>> this should probably be a separate API call from the ones all users have
>> available.
>>
>> What data to list? Full name+email+OpenID+Organizations
>>
>>
>> Cheers,
>> Gema
>>
>> On 14/03/16 22:28, Catherine Cuong Diep wrote:
>> > The RefStack team would appreciate guidance and recommendation on the
>> > following:
>> >
>> > 1. Should any RefStack authenticated user be able to list the users
>> > registered in RefStack?
>> > * If the answer is yes, which user information should be returned
>> > (full name, email, OpenID)?
>> > 2. Or ONLY OpenStack Foundation members can list the users in RefStack?
>> >
>> >
>> >
>> > _Back ground information:_
>> >
>> > 1. When a user registers at RefStack, RefStack does not request any
>> > user information input from the user, Instead, RefStack redirects
>> > the registration process to OpenstackId Identity Provider (
>> > https://openstackid.org/ ) and obtains three pieces of user
>> > information ( full name, email, OpenID ) from the OpenstackId
>> > Identity Provider.
>> > 2. OpenstackId Identity Provider ( https://openstackid.org/ ) treats
>> > email as private information. You will not find email or OpenID
>> > information on any member's public profile on
>> > https://www.openstack.org/community/members/ . Furthermore, if you
>> > look at your own profile on https://www.openstack.org/profile/ , you
>> > will find that email information is listed under the "private
>> > information" section.
>> > 3. Since OpenstackId Identity Provider is the source of the user
>> > information of RefStack, RefStack should respect and not relax the
>> > privacy policy set by its source .
>> >
>> >
>> > Note:
>> > The user information for _review.openstack.org_
>> > <http://review.openstack.org/> seems to be set in
>> > https://review.openstack.org/#/settings/web-identities and not from
>> > OpenstackId Identity Provider.
>> >
>> > Catherine Diep
>> > RefStack Project PTL
>> > IBM Silicon Valley Laboratory, San Jose, California 95141
>> > cdiep at us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352
>> >
>> >
>> > _______________________________________________
>> > Defcore-committee mailing list
>> > Defcore-committee at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
>> >
>>
>>
>> --
>> Gema Gomez-Solano <gema.gomez-solano at canonical.com>
>> STS, QE https://launchpad.net/~gema
>> Canonical Ltd. http://www.canonical.com
>>
>> _______________________________________________
>> Defcore-committee mailing list
>> Defcore-committee at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
> 
> 
> _______________________________________________
> Defcore-committee mailing list
> Defcore-committee at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
>