Comment 26 for bug 1872735

Updated, please review:

Title: EC2 and credential endpoints are not protected from a scoped context
Reporter: kay
Products: Keystone
Affects: <15.0.1, ==16.0.0

Description:
kay reported a vulnerability in Keystone's EC2 credentials API. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.