[Openstack-security] [Bug 1396849] Re: internalURL and adminURL of endpoints should not be visible to ordinary user
David Chadwick
d.w.chadwick at kent.ac.uk
Mon Dec 1 20:50:37 UTC 2014
+1
On 01/12/2014 20:03, Morgan Fainberg wrote:
> Based on the ML topic, and that admin/internal URL is not universal (nor
> clearly isolated) this is not something that we can likely fix without
> breaking the API contract. We could look at changing the format of the
> catalog, but I think this is a much, much, bigger topic. Many actions
> need access to the different interfaces to succeed.
>
> Second, if someone does not have the endpoint in the catalog it doesn't
> prevent them from accessing/using the endpoint if they know if apriori.
> This is not something that I expect we will change. This should be
> handled in policy enforcement (currently policy.son)
>
> Longer term we are looking at providing endpoint binding - in theory we
> could expand this to cover the differing interfaces *where* possible.
> Feel free to comment at https://review.openstack.org/#/c/123726/ on the
> token constraint specification which will include the ability to
> restrict the user from accessing a specific endpoint if they are not
> authorized to do-so.
>
> ** Changed in: keystone
> Status: New => Won't Fix
>
More information about the Openstack-security
mailing list