** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1294293
Title:
domain_id should be immutable by default
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
An option is already provided to make the domain_id attribute in the
User, Group and Project entities immutable. This can be used to
prevent a domain admin persona (as implemented by a suitable policy
file such as policy.v3cloudsample) from moving entities into domains
for which they do not have permission. The option of making the
domain_id immutable is controlled by a config option - and the default
is that domain_id is mutable.
In reality, almost all non-trivial production deployments will want to
prevent such a movement of entities. Given this, we should therefore
make the domain_id immutable by default, even though this changes
functionality from previous versions.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1294293/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
