[openstack-dev] [cross-project] Admin

Adam Young ayoung at redhat.com
Mon Oct 19 16:46:53 UTC 2015


On 10/19/2015 12:39 PM, Neil Jerram wrote:
> On 19/10/15 14:57, Adam Young wrote:
>> While I tend to play up  bug 968696 for dramatic effect, the reality is
>> we have a logical contradiction on what we mean by 'admin' when talking
>> about RBAC.
>>
>> In early iterations of OpenStack, roles were global.  This is reflected
>> in many of the Policy checks that only look for the global role.
>> However, prior to the Keystone-Light rewrite, role assignments became
>> scoped to tenants.  This shows up in the Keystone git history.  As this
>> pattern got established, some people wrote policy checks that assert:
>>
>>        role==admin and tenant_id=resource.tenant_id
>>
>> This contradicts the global-ness of the admin roles.  If I assign
>> ('joeuser', 'admin','mytenant') I've just granted them the ability to
>> perform all of the admin operations.
> I'm afraid I'm not sure I follow.  Do you mean all of the admin
> operations on resources that are protected only by 'role==admin' ?
Yes, exactly. For example, Nova has such a call with "Hypervisors"

http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n159

An there is no clear project that this call can be scoped to.

Contrast this with update-quota which should be scoped to a project.

http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n175


>
>      Neil
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list