If I understand correctly, this is more an unfortunate design choice (roles being scoped to tenants) than a security flaw ? If you confirm that the current behavior is by design, I agree that this design should be improved to allow roles scoped to tenant + service, but I see no reason to keep this private.
If this is not by design and roles should actually be scoped to tenant + service, then this is a vulnerability and we should keep the bug private until this is fixed. And if this affect stable/diablo as well, I suggest we delay 2011.3.1 to include the fix...
Subscribed Ziad, as PTL for Keystone.
If I understand correctly, this is more an unfortunate design choice (roles being scoped to tenants) than a security flaw ? If you confirm that the current behavior is by design, I agree that this design should be improved to allow roles scoped to tenant + service, but I see no reason to keep this private.
If this is not by design and roles should actually be scoped to tenant + service, then this is a vulnerability and we should keep the bug private until this is fixed. And if this affect stable/diablo as well, I suggest we delay 2011.3.1 to include the fix...