Comment 16 for bug 1872733
Revision history for this message
| Kristi Nikolla (knikolla) wrote Re: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
In our environment, we allow users with project_admin role to list people in their project. If a user with an admin role is part of the project of a malicious user (maybe to help with some debugging, or an inherited role), this would allow the malicious user to know the UUID of the admin user.