[Keystone] Confusion about the admin role
Hi, I'd like to ask some questions about the admin role. When I grant the admin role to a user in a project, that user can also get the admin role for other projects in the same domain. If I do the following: ```shell openstack project create --domain default --description "Demo Project" myproject openstack user create --domain default --password-prompt myuser openstack role add --project myproject --user myuser admin ``` Then, the myuser user has the permission to grant himself the admin role of another project in the same domain. I used to understand that 'openstack role add --project myproject --user myuser admin' was simply granted to myuser as admin within the myproject project, but now I find that This is equivalent to having the admin role for the entire domain. Can I ask the design idea here, or what I think is wrong? Thanks, Han Guangyu
On Tue, 2022-11-08 at 16:48 +0800, 韩光宇 wrote:
Hi,
I'd like to ask some questions about the admin role.
When I grant the admin role to a user in a project, that user can also get the admin role for other projects in the same domain. If I do the following: ```shell openstack project create --domain default --description "Demo Project" myproject openstack user create --domain default --password-prompt myuser openstack role add --project myproject --user myuser admin ``` Then, the myuser user has the permission to grant himself the admin role of another project in the same domain. today openstack only has gloabl admin.
we do not have project or domain scoped admin currently. so this is the expected behaivor.
I used to understand that 'openstack role add --project myproject --user myuser admin' was simply granted to myuser as admin within the myproject project, but now I find that This is equivalent to having the admin role for the entire domain.
yes it is
Can I ask the design idea here, or what I think is wrong?
no so the admin role is cloud wide.
Thanks, Han Guangyu
Hi Sean, Thank you so much, I get it. Han Sean Mooney <smooney@redhat.com> 于2022年11月8日周二 17:08写道:
On Tue, 2022-11-08 at 16:48 +0800, 韩光宇 wrote:
Hi,
I'd like to ask some questions about the admin role.
When I grant the admin role to a user in a project, that user can also get the admin role for other projects in the same domain. If I do the following: ```shell openstack project create --domain default --description "Demo Project" myproject openstack user create --domain default --password-prompt myuser openstack role add --project myproject --user myuser admin ``` Then, the myuser user has the permission to grant himself the admin role of another project in the same domain. today openstack only has gloabl admin.
we do not have project or domain scoped admin currently. so this is the expected behaivor.
I used to understand that 'openstack role add --project myproject --user myuser admin' was simply granted to myuser as admin within the myproject project, but now I find that This is equivalent to having the admin role for the entire domain.
yes it is
Can I ask the design idea here, or what I think is wrong?
no so the admin role is cloud wide.
Thanks, Han Guangyu
participants (2)
-
Sean Mooney
-
韩光宇