On 2023-09-11 21:02:06 -0500 (-0500), James Leong wrote:

I am currently having a yoga version openstack. I noticed that user from a domain are able to view other domain leases if they are having admin role. Is there any possible way to change anything in the policy file? I have tried to add rule:owner but it didn't work out the way I wanted. Any recommendations would be appreciated.

What specifically were you trying to accomplish by granting admin access to a domain user? While Keystone (the identity management service) does have a concept of domain and project administrators separate from system administrators, not all services in OpenStack have implemented consistent support for this differentiation. There is a community-wide goal[*] in progress to bring more consistency to the RBAC implementation across services, but until that is completed there are services where, for historical reasons, the "admin" role means full service administrator access even if it's associated with a project[**]. We could probably do a better job of putting up warnings about this in obvious, discoverable locations since even I had a hard time just now tracking down any clear statement about the present state of these risks. [*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... [**] https://launchpad.net/bugs/1933269 -- Jeremy Stanley