[Keystone] Confusion about the admin role
Sean Mooney
smooney at redhat.com
Tue Nov 8 09:07:40 UTC 2022
On Tue, 2022-11-08 at 16:48 +0800, 韩光宇 wrote:
> Hi,
>
> I'd like to ask some questions about the admin role.
>
> When I grant the admin role to a user in a project, that user can also
> get the admin role for other projects in the same domain.
> If I do the following:
> ```shell
> openstack project create --domain default --description "Demo Project" myproject
> openstack user create --domain default --password-prompt myuser
> openstack role add --project myproject --user myuser admin
> ```
> Then, the myuser user has the permission to grant himself the admin
> role of another project in the same domain.
today openstack only has gloabl admin.
we do not have project or domain scoped admin currently.
so this is the expected behaivor.
>
> I used to understand that 'openstack role add --project myproject
> --user myuser admin' was simply granted to myuser as admin within the
> myproject project, but now I find that This is equivalent to having
> the admin role for the entire domain.
yes it is
>
> Can I ask the design idea here, or what I think is wrong?
no so the admin role is cloud wide.
>
> Thanks,
> Han Guangyu
>
More information about the openstack-discuss
mailing list