[openstack-dev] [cross-project] Admin

William M Edmonds edmondsw at us.ibm.com
Thu Oct 22 09:16:27 UTC 2015



Adam Young <ayoung at redhat.com> wrote on 10/19/2015 09:53:14 AM:
> While I tend to play up  bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, roles were global.  This is reflected
> in many of the Policy checks that only look for the global role.
> However, prior to the Keystone-Light rewrite, role assignments became
> scoped to tenants.  This shows up in the Keystone git history.  As this
> pattern got established, some people wrote policy checks that assert:
>
>       role==admin and tenant_id=resource.tenant_id
>
> This contradicts the global-ness of the admin roles.  If I assign
> ('joeuser', 'admin','mytenant') I've just granted them the ability to
> perform all of the admin operations.
>
> Thus, today we have a situation where, unless the user rewrites the
> default policy, they have to only assign the role  admins to users that
> are trusted to be admins on the whole deployment.
>

This all appears to be based on a misassumptions that a) checking the
project id should be done in policy.json files and b) if it's not being
checked in the policy file then it's not being checked. Neither of those is
the case. Many APIs check project id in the code, which is where it should
be checked. Tokens are scoped to projects, thus any use of those tokens
should necessarily be scoped to the project... otherwise you're not obeying
the token scoping. The few places that are not already enforcing that in
their code need to be fixed to start enforcing that. It doesn't make sense
to do that in policy files, since this is a hard and fast rule, not
something someone needs to be able to change in policy, or should be able
to change. Nor would it be practical to put this in policy files when you
realize that this logic applies to all roles, not just admin.

-Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151022/8b3461cc/attachment.html>


More information about the OpenStack-dev mailing list