Comment 16 for bug 1872733

Revision history for this message
Kristi Nikolla (knikolla) wrote : Re: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID

In our environment, we allow users with project_admin role to list people in their project. If a user with an admin role is part of the project of a malicious user (maybe to help with some debugging, or an inherited role), this would allow the malicious user to know the UUID of the admin user.