[keystone][policy][ussuri] why I can create a domain

Nikolla, Kristi knikolla at bu.edu
Wed Nov 24 17:26:01 UTC 2021

Hi Piotr,

That is likely due to the enforce_scope configuration option being set as False by default [0]

We’re not to a point yet where you can safely give someone the admin role on any project. [1][2]


[0]. https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo-policy
[1]. https://governance.openstack.org/tc/goals/proposed/consistent-and-secure-rbac.html
[2]. https://review.opendev.org/c/openstack/governance/+/815158

From: Piotr Misiak <piotrmisiak1984 at gmail.com>
Date: Wednesday, November 24, 2021 at 05:04
To: openstack-discuss at lists.openstack.org <openstack-discuss at lists.openstack.org>
Subject: [keystone][policy][ussuri] why I can create a domain

Maybe a stupid question but I'm really confused.

In my Ussuri cloud Keystone has a following policy for create_domain
action (this is a default policy from Keystone code):

"identity:create_domain": "role:admin and system_scope:all"

I have a user which has "admin" role assigned in project "admin" in
domain "default" - AKA cloud admin.

The user does not have any roles assigned on system scope.

Could someone please explain why this user is able to create a domain in
the cloud?

Looking at the policy rule he shouldn't or maybe I'm reading it in a
wrong way?

Is there any "backward compatibility" casting "cloud admin" role to

Please help



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211124/062404af/attachment.htm>

More information about the openstack-discuss mailing list