This just means the tenant_id in the path is ignored, and User1 always gets the same data regardless of the tenant specified in the path (solving the immediate problem)
However we should probably consider a more robust fix, where we deny any request where the tenant_id specified in the path doesn't match the tenant_id in the context, either directly in the API, or via a policy rule (I'm working on making the ReST API policy.json aware atm).
So the simplest possible fix is to remove the line which overwrites the context tenant_id:
https:/ /github. com/openstack/ heat/blob/ master/ heat/api/ openstack/ v1/util. py#L29
This just means the tenant_id in the path is ignored, and User1 always gets the same data regardless of the tenant specified in the path (solving the immediate problem)
However we should probably consider a more robust fix, where we deny any request where the tenant_id specified in the path doesn't match the tenant_id in the context, either directly in the API, or via a policy rule (I'm working on making the ReST API policy.json aware atm).