<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I agree with Gema. User should not be able to see all other users' info, unless they have super-admin powers or are in the same organization.<div>If the option is being able to see all users or none at all, I would default to none for regular users.</div><div><br></div><div>Thank you,</div><div>Egle</div><div><br><br>
<br><br><div>> To: defcore-committee@lists.openstack.org<br>> From: gema.gomez-solano@canonical.com<br>> Date: Wed, 16 Mar 2016 17:02:27 +0000<br>> Subject: Re: [OpenStack-DefCore] [Security] List Users in RefStack<br>> <br>> In my opinion, listing users should work as follows:<br>> <br>> - Any user can list the users of the organizations (s)he belongs to.<br>> <br>> What data to list? Full name+email+OpenID<br>> <br>> <br>> - Any Foundation (super-admin) user should be able to list everyone, and<br>> this should probably be a separate API call from the ones all users have<br>> available.<br>> <br>> What data to list? Full name+email+OpenID+Organizations<br>> <br>> <br>> Cheers,<br>> Gema<br>> <br>> On 14/03/16 22:28, Catherine Cuong Diep wrote:<br>> > The RefStack team would appreciate guidance and recommendation on the<br>> > following:<br>> > <br>> > 1. Should any RefStack authenticated user be able to list the users<br>> > registered in RefStack?<br>> > * If the answer is yes, which user information should be returned<br>> > (full name, email, OpenID)?<br>> > 2. Or ONLY OpenStack Foundation members can list the users in RefStack?<br>> > <br>> > <br>> > <br>> > _Back ground information:_<br>> > <br>> > 1. When a user registers at RefStack, RefStack does not request any<br>> > user information input from the user, Instead, RefStack redirects<br>> > the registration process to OpenstackId Identity Provider (<br>> > https://openstackid.org/ ) and obtains three pieces of user<br>> > information ( full name, email, OpenID ) from the OpenstackId<br>> > Identity Provider.<br>> > 2. OpenstackId Identity Provider ( https://openstackid.org/ ) treats<br>> > email as private information. You will not find email or OpenID<br>> > information on any member's public profile on<br>> > https://www.openstack.org/community/members/ . Furthermore, if you<br>> > look at your own profile on https://www.openstack.org/profile/ , you<br>> > will find that email information is listed under the "private<br>> > information" section.<br>> > 3. Since OpenstackId Identity Provider is the source of the user<br>> > information of RefStack, RefStack should respect and not relax the<br>> > privacy policy set by its source .<br>> > <br>> > <br>> > Note:<br>> > The user information for _review.openstack.org_<br>> > <http://review.openstack.org/> seems to be set in<br>> > https://review.openstack.org/#/settings/web-identities and not from<br>> > OpenstackId Identity Provider.<br>> > <br>> > Catherine Diep<br>> > RefStack Project PTL<br>> > IBM Silicon Valley Laboratory, San Jose, California 95141<br>> > cdiep@us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352<br>> > <br>> > <br>> > _______________________________________________<br>> > Defcore-committee mailing list<br>> > Defcore-committee@lists.openstack.org<br>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee<br>> > <br>> <br>> <br>> -- <br>> Gema Gomez-Solano <gema.gomez-solano@canonical.com><br>> STS, QE https://launchpad.net/~gema<br>> Canonical Ltd. http://www.canonical.com<br>> <br>> _______________________________________________<br>> Defcore-committee mailing list<br>> Defcore-committee@lists.openstack.org<br>> http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee<br></div></div> </div></body>
</html>