<div dir="ltr">Thierry, Thiago hasn't responded yet on the admin/ non-admin user part. Looks like that is the issue. I have pinged him to file a bug with more details, so that it will be acted upon. <div><br></div><div>
Thanks,</div><div>-Sriram</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 26, 2013 at 2:57 AM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Sriram Subramanian wrote:<br>
> Anybody seen this? Can we follow up with him for more details?<br>
<br>
</div>We had several people report the same type of "breach" in the past. It<br>
always boiled down to people misunderstanding the power of the "admin"<br>
users (which by default are not that much restricted by tenant boundaries).<br>
<br>
I would not be surprised if that was the case here. Especially if the<br>
reporter can't reproduce it on a "fresh" setup (where he would set up<br>
normal users).<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Thierry Carrez (ttx)<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Thanks,</div><div>-Sriram</div>
</div>