[Openstack-security] [OpenStack-DefCore][Security] List Users in RefStack

Catherine Cuong Diep cdiep at us.ibm.com
Mon Mar 14 22:28:11 UTC 2016



The RefStack team would appreciate guidance and recommendation on the
following:

   Should any RefStack authenticated  user be able to list the users
   registered in RefStack?
      If the answer is yes, which user information should be returned (full
      name, email, OpenID)?
   Or  ONLY OpenStack Foundation members can list the users in RefStack?


Back ground information:

   When a user registers at RefStack, RefStack does not request any user
   information input from the user,  Instead, RefStack redirects the
   registration process to OpenstackId Identity Provider (
   https://openstackid.org/  ) and obtains three pieces of  user
   information ( full name, email, OpenID )  from the OpenstackId Identity
   Provider.
   OpenstackId Identity Provider ( https://openstackid.org/  ) treats email
   as private information.  You will not find email or OpenID information
   on any member's public profile on
   https://www.openstack.org/community/members/ .  Furthermore, if you look
   at your own profile on https://www.openstack.org/profile/ , you will
   find that email information is listed under the "private information"
   section.
   Since OpenstackId Identity Provider is the source of the user
   information of RefStack,  RefStack should respect and not relax the
   privacy policy set  by its source .

Note:
The user information for review.openstack.org seems to be set in
https://review.openstack.org/#/settings/web-identities and not from
OpenstackId Identity Provider.

Catherine Diep
RefStack Project PTL
IBM Silicon Valley Laboratory, San Jose, California 95141
cdiep at us.ibm.com, Tel: (408) 463-4352  T/L: 543-4352
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20160314/4182327b/attachment.html>


More information about the Openstack-security mailing list