[Keystone] Confusion about the admin role
韩光宇
hanguangyu2 at gmail.com
Tue Nov 8 09:20:51 UTC 2022
Hi Sean,
Thank you so much, I get it.
Han
Sean Mooney <smooney at redhat.com> 于2022年11月8日周二 17:08写道:
>
> On Tue, 2022-11-08 at 16:48 +0800, 韩光宇 wrote:
> > Hi,
> >
> > I'd like to ask some questions about the admin role.
> >
> > When I grant the admin role to a user in a project, that user can also
> > get the admin role for other projects in the same domain.
> > If I do the following:
> > ```shell
> > openstack project create --domain default --description "Demo Project" myproject
> > openstack user create --domain default --password-prompt myuser
> > openstack role add --project myproject --user myuser admin
> > ```
> > Then, the myuser user has the permission to grant himself the admin
> > role of another project in the same domain.
> today openstack only has gloabl admin.
>
> we do not have project or domain scoped admin currently.
> so this is the expected behaivor.
> >
> > I used to understand that 'openstack role add --project myproject
> > --user myuser admin' was simply granted to myuser as admin within the
> > myproject project, but now I find that This is equivalent to having
> > the admin role for the entire domain.
> yes it is
> >
> > Can I ask the design idea here, or what I think is wrong?
> no so the admin role is cloud wide.
> >
> > Thanks,
> > Han Guangyu
> >
>
More information about the openstack-discuss
mailing list