Tagging with keystone for visibility. On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
Hi!
I am trying to create ‘domain admin’ role which has permissions to create projects and users, and manage user roles in projects within own domain. I have pretty ok working set of policies done, but there is one critical security hole: domain admin can add ‘admin’ role to user, and after it user has superuser privileges. Is there any possibility to limit domain admin rights to give only _/member/_ roles?
I suspect the answer may be no, unfortunately. This is one of the longstanding limitations with roles - admin means admin of everything. There's work underway to improve that, but I think the policy system in Queens just wasn't designed for this sort of use case. That said, I'm not positive this is exactly the same scenario that people generally have trouble with, so hopefully a keystone person can chime in with a more definitive answer.
I am working in Queens-based Redhat OSP13.
Tavasti, Openstack admin
For Internal Use Only