Open Stack

On Tue, 2022-11-08 at 16:48 +0800, 韩光宇 wrote:
> Hi,
> 
> I'd like to ask some questions about the admin role.
> 
> When I grant the admin role to a user in a project, that user can also
> get the admin role for other projects in the same domain.
> If I do the following：
> ```shell
> openstack project create --domain default --description "Demo Project" myproject
> openstack user create --domain default  --password-prompt myuser
> openstack role add --project myproject --user myuser admin
> ```
> Then, the myuser user has the permission to grant himself the admin
> role of another project in the same domain.
today openstack only has gloabl admin.

we do not have project or domain scoped admin currently.
so this is the expected behaivor.
> 
> I used to understand that 'openstack role add --project myproject
> --user myuser admin' was simply granted to myuser as admin within the
> myproject project, but now I find that This is equivalent to having
> the admin role for the entire domain.
yes it is
> 
> Can I ask the design idea here, or what I think is wrong？
no so the admin role is cloud wide.
> 
> Thanks,
> Han Guangyu
>