settingsLogin | Registersettings

[OpenStack-DefCore] [Security] List Users in RefStack

0 votes

The RefStack team would appreciate guidance and recommendation on the
following:

Should any RefStack authenticated user be able to list the users
registered in RefStack?
If the answer is yes, which user information should be returned (full
name, email, OpenID)?
Or ONLY OpenStack Foundation members can list the users in RefStack?

Back ground information:

When a user registers at RefStack, RefStack does not request any user
information input from the user, Instead, RefStack redirects the
registration process to OpenstackId Identity Provider (
https://openstackid.org/ ) and obtains three pieces of user
information ( full name, email, OpenID ) from the OpenstackId Identity
Provider.
OpenstackId Identity Provider ( https://openstackid.org/ ) treats email
as private information. You will not find email or OpenID information
on any member's public profile on
https://www.openstack.org/community/members/ . Furthermore, if you look
at your own profile on https://www.openstack.org/profile/ , you will
find that email information is listed under the "private information"
section.
Since OpenstackId Identity Provider is the source of the user
information of RefStack, RefStack should respect and not relax the
privacy policy set by its source .

Note:
The user information for review.openstack.org seems to be set in
https://review.openstack.org/#/settings/web-identities and not from
OpenstackId Identity Provider.

Catherine Diep
RefStack Project PTL
IBM Silicon Valley Laboratory, San Jose, California 95141
cdiep@us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
asked Mar 14, 2016 in defcore-committee by Catherine_Cuong_Diep (1,320 points)   2

3 Responses

0 votes

In my opinion, listing users should work as follows:

  • Any user can list the users of the organizations (s)he belongs to.

What data to list? Full name+email+OpenID

  • Any Foundation (super-admin) user should be able to list everyone, and
    this should probably be a separate API call from the ones all users have
    available.

What data to list? Full name+email+OpenID+Organizations

Cheers,
Gema

On 14/03/16 22:28, Catherine Cuong Diep wrote:
The RefStack team would appreciate guidance and recommendation on the
following:

  1. Should any RefStack authenticated user be able to list the users
    registered in RefStack?

    • If the answer is yes, which user information should be returned
      (full name, email, OpenID)?
  2. Or ONLY OpenStack Foundation members can list the users in RefStack?

Back ground information:

  1. When a user registers at RefStack, RefStack does not request any
    user information input from the user, Instead, RefStack redirects
    the registration process to OpenstackId Identity Provider (
    https://openstackid.org/ ) and obtains three pieces of user
    information ( full name, email, OpenID ) from the OpenstackId
    Identity Provider.
  2. OpenstackId Identity Provider ( https://openstackid.org/ ) treats
    email as private information. You will not find email or OpenID
    information on any member's public profile on
    https://www.openstack.org/community/members/ . Furthermore, if you
    look at your own profile on https://www.openstack.org/profile/ , you
    will find that email information is listed under the "private
    information" section.
  3. Since OpenstackId Identity Provider is the source of the user
    information of RefStack, RefStack should respect and not relax the
    privacy policy set by its source .

Note:
The user information for review.openstack.org
seems to be set in
https://review.openstack.org/#/settings/web-identities and not from
OpenstackId Identity Provider.

Catherine Diep
RefStack Project PTL
IBM Silicon Valley Laboratory, San Jose, California 95141
cdiep@us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee

--
Gema Gomez-Solano gema.gomez-solano@canonical.com
STS, QE https://launchpad.net/~gema
Canonical Ltd. http://www.canonical.com


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
responded Mar 16, 2016 by Gema_Gomez-Solano (200 points)  
0 votes

I agree with Gema. User should not be able to see all other users' info, unless they have super-admin powers or are in the same organization.If the option is being able to see all users or none at all, I would default to none for regular users.
Thank you,Egle

To: defcore-committee@lists.openstack.org
From: gema.gomez-solano@canonical.com
Date: Wed, 16 Mar 2016 17:02:27 +0000
Subject: Re: [OpenStack-DefCore] [Security] List Users in RefStack

In my opinion, listing users should work as follows:

  • Any user can list the users of the organizations (s)he belongs to.

What data to list? Full name+email+OpenID

  • Any Foundation (super-admin) user should be able to list everyone, and
    this should probably be a separate API call from the ones all users have
    available.

What data to list? Full name+email+OpenID+Organizations

Cheers,
Gema

On 14/03/16 22:28, Catherine Cuong Diep wrote:

The RefStack team would appreciate guidance and recommendation on the
following:

  1. Should any RefStack authenticated user be able to list the users
    registered in RefStack?

    • If the answer is yes, which user information should be returned
      (full name, email, OpenID)?
  2. Or ONLY OpenStack Foundation members can list the users in RefStack?

Back ground information:

  1. When a user registers at RefStack, RefStack does not request any
    user information input from the user, Instead, RefStack redirects
    the registration process to OpenstackId Identity Provider (
    https://openstackid.org/ ) and obtains three pieces of user
    information ( full name, email, OpenID ) from the OpenstackId
    Identity Provider.
  2. OpenstackId Identity Provider ( https://openstackid.org/ ) treats
    email as private information. You will not find email or OpenID
    information on any member's public profile on
    https://www.openstack.org/community/members/ . Furthermore, if you
    look at your own profile on https://www.openstack.org/profile/ , you
    will find that email information is listed under the "private
    information" section.
  3. Since OpenstackId Identity Provider is the source of the user
    information of RefStack, RefStack should respect and not relax the
    privacy policy set by its source .

Note:
The user information for review.openstack.org
seems to be set in
https://review.openstack.org/#/settings/web-identities and not from
OpenstackId Identity Provider.

Catherine Diep
RefStack Project PTL
IBM Silicon Valley Laboratory, San Jose, California 95141
cdiep@us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee

--
Gema Gomez-Solano gema.gomez-solano@canonical.com
STS, QE https://launchpad.net/~gema
Canonical Ltd. http://www.canonical.com


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
_______________________________________________
Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
responded Mar 16, 2016 by Egle_Sigler (2,300 points)   3
0 votes

It also makes total sense to me.

A use should only be able to list their own organization's user and a
'superuser' should be able to see everything.

What Gema proposed sounds reasonable to me, as in ¡:

Regular user:

Full name+email+OpenID

For the regular user, maybe we'd also put the organizations as a
reminder, as it won't do any harm nor provide sensitive information, so
maybe we could just use the model

Full name+email+OpenID+Organizations

but limiting that to the user orgz.

Super user:

Full name+email+OpenID+Organizations

Thanks!

Daniel

El 16/03/16 a las 19:49, Egle Sigler escribió:

I agree with Gema. User should not be able to see all other users' info,
unless they have super-admin powers or are in the same organization.
If the option is being able to see all users or none at all, I would
default to none for regular users.

Thank you,
Egle

To: defcore-committee@lists.openstack.org
From: gema.gomez-solano@canonical.com
Date: Wed, 16 Mar 2016 17:02:27 +0000
Subject: Re: [OpenStack-DefCore] [Security] List Users in RefStack

In my opinion, listing users should work as follows:

  • Any user can list the users of the organizations (s)he belongs to.

What data to list? Full name+email+OpenID

  • Any Foundation (super-admin) user should be able to list everyone, and
    this should probably be a separate API call from the ones all users have
    available.

What data to list? Full name+email+OpenID+Organizations

Cheers,
Gema

On 14/03/16 22:28, Catherine Cuong Diep wrote:

The RefStack team would appreciate guidance and recommendation on the
following:

  1. Should any RefStack authenticated user be able to list the users
    registered in RefStack?

* If the answer is yes, which user information should be returned
(full name, email, OpenID)?
2. Or ONLY OpenStack Foundation members can list the users in RefStack?

Back ground information:

  1. When a user registers at RefStack, RefStack does not request any
    user information input from the user, Instead, RefStack redirects
    the registration process to OpenstackId Identity Provider (
    https://openstackid.org/ ) and obtains three pieces of user
    information ( full name, email, OpenID ) from the OpenstackId
    Identity Provider.
  2. OpenstackId Identity Provider ( https://openstackid.org/ ) treats
    email as private information. You will not find email or OpenID
    information on any member's public profile on
    https://www.openstack.org/community/members/ . Furthermore, if you
    look at your own profile on https://www.openstack.org/profile/ , you
    will find that email information is listed under the "private
    information" section.
  3. Since OpenstackId Identity Provider is the source of the user
    information of RefStack, RefStack should respect and not relax the
    privacy policy set by its source .

Note:
The user information for review.openstack.org
seems to be set in
https://review.openstack.org/#/settings/web-identities and not from
OpenstackId Identity Provider.

Catherine Diep
RefStack Project PTL
IBM Silicon Valley Laboratory, San Jose, California 95141
cdiep@us.ibm.com, Tel: (408) 463-4352 T/L: 543-4352


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee

--
Gema Gomez-Solano gema.gomez-solano@canonical.com
STS, QE https://launchpad.net/~gema
Canonical Ltd. http://www.canonical.com


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee


Defcore-committee mailing list
Defcore-committee@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/defcore-committee
responded Mar 17, 2016 by dmellado_at_redhat.c (400 points)  
...