[keystone][policy][ussuri] why I can create a domain

Piotr Misiak piotrmisiak1984 at gmail.com
Wed Nov 24 10:03:52 UTC 2021


Maybe a stupid question but I'm really confused.

In my Ussuri cloud Keystone has a following policy for create_domain
action (this is a default policy from Keystone code):

"identity:create_domain": "role:admin and system_scope:all"

I have a user which has "admin" role assigned in project "admin" in
domain "default" - AKA cloud admin.

The user does not have any roles assigned on system scope.

Could someone please explain why this user is able to create a domain in
the cloud?

Looking at the policy rule he shouldn't or maybe I'm reading it in a
wrong way?

Is there any "backward compatibility" casting "cloud admin" role to

Please help



More information about the openstack-discuss mailing list