Open Stack

I dont think this is anything to do with a user interface issue. I think
it is a design bug in Keystone. I think the flow in Keystone should be
more like this:

1. User logs in, gets an unscoped token
2. User switches unscoped token for any scoped token of his choice. This
is a downgrading of privileges.
3. User switches from a scoped token to an unscoped token. This is an
escalation of privileges, so should require re-authentication
4. User can now switch his/her unscoped token to any scoped token

regards

David

On 05/04/2014 02:11, Malini Bhandaru wrote:
> Seems like horizon login page should take as input a "scope",  domain (and even project possibly) to avoid such an issue.
> Users are supposed to be unique per domain.
> 
> Then we could enforce any subsequent token creation to the domain and
> project of the current token. So no more or less harm than the token
> already leaked.
> 
> Further, we could limit horizon admin uses to only "read-only" on other
> domains/projects.
>