[openstack-dev] Proposed solution to "Admin" ness improperly scoped:

Adam Young ayoung at redhat.com
Tue Oct 13 14:52:32 UTC 2015


On 10/13/2015 12:15 AM, Shinobu Kinjo wrote:
> Sorry for my lack of explanation.
> Are the both scopes of admin and non-admin totally different?
>
> Is each project not nested in admin scope like:
So, a couple terms:
We use the term 'scope' to refer to the project.  Think of this as a 
container that holds resources.

The user  is assigned a role on the project, and that determines what 
operations the user can perform.

However, When OpenStack started, roles were not scoped, but were 
global.  Thus, there are many APIs
where the only check is that the user has the role 'admin' and the 
project scope is never checked.

Because Roles are defined in Keystone after install, none of the default 
policy files actually check any
specific roles.  The only role other than 'admin' that you will see in a 
Packstack install is that for
a Member (often _member_ ).  This role was added to standardize how we 
enforce policy; users used to be
assigned exclusively to a project, and adding this mechanism allowed a 
user to access multiple projects
while maintaining a single policy mechanism.

So there are some APIs where either the project scope is checked -OR- 
the role admin is checked.

We are not making use of hierarchical multitenatcy here; your example 
shows proejct-a,b, and c nested under admin.

This change would not require that.


>
>   admin {
>    Some properties
>     ...
>    {
>     ...
>     project-a {
>      owner-a
>       ...
>     }
>     project-b {
>      owner-b
>       ...
>     }
>      ...
>     project-x {
>      owner-x
>       ...
>     }
>    }
>   }
>
> Or is "ADMIN_PROJECT_ID" totally different flag?

It means that only a token scoped to 'admin' would (potentially) have 
the role 'admin' available.

>
> I hope you could get me -;
>
> Shinobu
>
> ----- Original Message -----
> From: "Adam Young" <ayoung at redhat.com>
> To: openstack-dev at lists.openstack.org
> Sent: Tuesday, October 13, 2015 12:56:54 PM
> Subject: Re: [openstack-dev] Proposed solution to "Admin" ness improperly scoped:
>
> On 10/12/2015 08:07 PM, Shinobu Kinjo wrote:
>> Just question.
>> Will be scopes of non-admin users projects in admin scoped project?
> I'm sorry I don't understand what you are asking.
>
>> Shinobu
>>
>> ----- Original Message -----
>> From: "Adam Young" <ayoung at redhat.com>
>> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>
>> Sent: Monday, October 12, 2015 3:38:01 AM
>> Subject: [openstack-dev] Proposed solution to "Admin" ness improperly scoped:
>>
>> https://bugs.launchpad.net/keystone/+bug/968696/comments/39
>>
>> 1. Add a config value ADMIN_PROJECT_ID
>> 2. In token creation, if ADMIN_PROJECT_ID is not None: only add the
>> admin role to the token if the id of the scoped project == ADMIN_PROJECT_ID
>>
>> Does this work?
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list