[keystone]How to prevent adding admin-role?

Ben Nemec openstack at nemebean.com
Thu Aug 29 14:51:58 UTC 2019



On 8/29/19 7:52 AM, Tavasti Markku EXT wrote:
>> From: Ben Nemec <openstack at nemebean.com>
>> On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
>>> Is there any possibility to limit domain admin rights to give only _/member/_ roles?
>>
>> I suspect the answer may be no, unfortunately. This is one of the
>> longstanding limitations with roles - admin means admin of everything.
>> There's work underway to improve that, but I think the policy system in
>> Queens just wasn't designed for this sort of use case.
> 
> Actually I found out how to restrict rights of domadmin so that she can't add any other roles than _member_
> Key is to add this to policy rules for identity:create_grant :   whatever_your_conditions_are  and '_member_':%(target.role.name)s
> 
> Seems to be working.

Cool, thanks for sharing your solution.

> 
> This page is most likely useful for anyone trying to do same: https://pedro.alvarezpiedehierro.com/2019/02/06/openstack-domain-project-admin/
> 
> --Tavasti
> 
> For Internal Use Only
> 



More information about the openstack-discuss mailing list