How to prevent adding admin-role?
Hi! I am trying to create 'domain admin' role which has permissions to create projects and users, and manage user roles in projects within own domain. I have pretty ok working set of policies done, but there is one critical security hole: domain admin can add 'admin' role to user, and after it user has superuser privileges. Is there any possibility to limit domain admin rights to give only _member_ roles? I am working in Queens-based Redhat OSP13. Tavasti, Openstack admin For Internal Use Only
Tagging with keystone for visibility. On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
Hi!
I am trying to create ‘domain admin’ role which has permissions to create projects and users, and manage user roles in projects within own domain. I have pretty ok working set of policies done, but there is one critical security hole: domain admin can add ‘admin’ role to user, and after it user has superuser privileges. Is there any possibility to limit domain admin rights to give only _/member/_ roles?
I suspect the answer may be no, unfortunately. This is one of the longstanding limitations with roles - admin means admin of everything. There's work underway to improve that, but I think the policy system in Queens just wasn't designed for this sort of use case. That said, I'm not positive this is exactly the same scenario that people generally have trouble with, so hopefully a keystone person can chime in with a more definitive answer.
I am working in Queens-based Redhat OSP13.
Tavasti, Openstack admin
For Internal Use Only
From: Ben Nemec <openstack@nemebean.com> On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
Is there any possibility to limit domain admin rights to give only _/member/_ roles?
I suspect the answer may be no, unfortunately. This is one of the longstanding limitations with roles - admin means admin of everything. There's work underway to improve that, but I think the policy system in Queens just wasn't designed for this sort of use case.
Actually I found out how to restrict rights of domadmin so that she can't add any other roles than _member_ Key is to add this to policy rules for identity:create_grant : whatever_your_conditions_are and '_member_':%(target.role.name)s Seems to be working. This page is most likely useful for anyone trying to do same: https://pedro.alvarezpiedehierro.com/2019/02/06/openstack-domain-project-adm... --Tavasti For Internal Use Only
On 8/29/19 7:52 AM, Tavasti Markku EXT wrote:
From: Ben Nemec <openstack@nemebean.com> On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
Is there any possibility to limit domain admin rights to give only _/member/_ roles?
I suspect the answer may be no, unfortunately. This is one of the longstanding limitations with roles - admin means admin of everything. There's work underway to improve that, but I think the policy system in Queens just wasn't designed for this sort of use case.
Actually I found out how to restrict rights of domadmin so that she can't add any other roles than _member_ Key is to add this to policy rules for identity:create_grant : whatever_your_conditions_are and '_member_':%(target.role.name)s
Seems to be working.
Cool, thanks for sharing your solution.
This page is most likely useful for anyone trying to do same: https://pedro.alvarezpiedehierro.com/2019/02/06/openstack-domain-project-adm...
--Tavasti
For Internal Use Only
participants (2)
-
Ben Nemec
-
Tavasti Markku EXT