[openstack-dev] [Keystone] Admin or certain roles should be able to list full project subtree

Jeremy Stanley fungi at yuggoth.org
Thu Mar 16 14:22:27 UTC 2017

On 2017-03-16 08:34:58 -0500 (-0500), Lance Bragstad wrote:
> These security-related corner cases have always come up in the past when
> we've talked about implementing reseller. Another good example that I
> struggle with is what happens when you flip the reseller bit for a project
> admin who goes off and creates their own entities but then wants support?
> What does the support model look like for the project admin that needs help
> in a way that maintains data integrity?

It's still entirely unclear to me how giving someone the ability to
hide resources you've delegated them access to create in any way
enables "reseller" use cases. I can understand the global admins
wanting to have optional views where they don't see all the resold
hierarchy (for the sake of their own sanity), but why would a
down-tree admin have any expectation they could reasonably hide
resources they create from those who maintain the overall system?

In other multi-tenant software I've used where reseller
functionality is present, top-level admins have some means of
examining delegated resources and usually even of impersonating
their down-tree owners for improved supportability.
Jeremy Stanley

More information about the OpenStack-dev mailing list