<html><body><p><tt>Adam Young <ayoung@redhat.com> wrote on 10/19/2015 09:53:14 AM:</tt><br><tt>> While I tend to play up bug 968696 for dramatic effect, the reality is <br>> we have a logical contradiction on what we mean by 'admin' when talking <br>> about RBAC.<br>> <br>> In early iterations of OpenStack, roles were global. This is reflected <br>> in many of the Policy checks that only look for the global role. <br>> However, prior to the Keystone-Light rewrite, role assignments became <br>> scoped to tenants. This shows up in the Keystone git history. As this <br>> pattern got established, some people wrote policy checks that assert:<br>> <br>> role==admin and tenant_id=resource.tenant_id<br>> <br>> This contradicts the global-ness of the admin roles. If I assign<br>> ('joeuser', 'admin','mytenant') I've just granted them the ability to <br>> perform all of the admin operations.<br>> <br>> Thus, today we have a situation where, unless the user rewrites the <br>> default policy, they have to only assign the role admins to users that <br>> are trusted to be admins on the whole deployment.<br>> <br></tt><br>This all appears to be based on a misassumptions that a) checking the project id should be done in policy.json files and b) if it's not being checked in the policy file then it's not being checked. Neither of those is the case. Many APIs check project id in the code, which is where it should be checked. Tokens are scoped to projects, thus any use of those tokens should necessarily be scoped to the project... otherwise you're not obeying the token scoping. The few places that are not already enforcing that in their code need to be fixed to start enforcing that. It doesn't make sense to do that in policy files, since this is a hard and fast rule, not something someone needs to be able to change in policy, or should be able to change. Nor would it be practical to put this in policy files when you realize that this logic applies to all roles, not just admin.<br><br>-Matthew<br><BR>
</body></html>