[openstack-dev] [cross-project] Admin

Neil Jerram Neil.Jerram at metaswitch.com
Mon Oct 19 16:39:15 UTC 2015

On 19/10/15 14:57, Adam Young wrote:
> While I tend to play up  bug 968696 for dramatic effect, the reality is 
> we have a logical contradiction on what we mean by 'admin' when talking 
> about RBAC.
> In early iterations of OpenStack, roles were global.  This is reflected 
> in many of the Policy checks that only look for the global role.  
> However, prior to the Keystone-Light rewrite, role assignments became 
> scoped to tenants.  This shows up in the Keystone git history.  As this 
> pattern got established, some people wrote policy checks that assert:
>       role==admin and tenant_id=resource.tenant_id
> This contradicts the global-ness of the admin roles.  If I assign
> ('joeuser', 'admin','mytenant') I've just granted them the ability to 
> perform all of the admin operations.

I'm afraid I'm not sure I follow.  Do you mean all of the admin
operations on resources that are protected only by 'role==admin' ?


More information about the OpenStack-dev mailing list