[keystone]How to prevent adding admin-role?
Ben Nemec
openstack at nemebean.com
Wed Aug 28 15:54:53 UTC 2019
Tagging with keystone for visibility.
On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
> Hi!
>
> I am trying to create ‘domain admin’ role which has permissions to
> create projects and users, and manage user roles in projects within own
> domain. I have pretty ok working set of policies done, but there is one
> critical security hole: domain admin can add ‘admin’ role to user, and
> after it user has superuser privileges. Is there any possibility to
> limit domain admin rights to give only _/member/_ roles?
I suspect the answer may be no, unfortunately. This is one of the
longstanding limitations with roles - admin means admin of everything.
There's work underway to improve that, but I think the policy system in
Queens just wasn't designed for this sort of use case.
That said, I'm not positive this is exactly the same scenario that
people generally have trouble with, so hopefully a keystone person can
chime in with a more definitive answer.
>
> I am working in Queens-based Redhat OSP13.
>
> Tavasti, Openstack admin
>
>
>
> For Internal Use Only
>
More information about the openstack-discuss
mailing list