[kolla-ansible][horizon][policy][security-sig] Domain admins
Jeremy Stanley
fungi at yuggoth.org
Tue Sep 12 12:37:53 UTC 2023
On 2023-09-11 21:02:06 -0500 (-0500), James Leong wrote:
> I am currently having a yoga version openstack. I noticed that
> user from a domain are able to view other domain leases if they
> are having admin role. Is there any possible way to change
> anything in the policy file? I have tried to add rule:owner but it
> didn't work out the way I wanted. Any recommendations would be
> appreciated.
What specifically were you trying to accomplish by granting admin
access to a domain user? While Keystone (the identity management
service) does have a concept of domain and project administrators
separate from system administrators, not all services in OpenStack
have implemented consistent support for this differentiation.
There is a community-wide goal[*] in progress to bring more
consistency to the RBAC implementation across services, but until
that is completed there are services where, for historical reasons,
the "admin" role means full service administrator access even if
it's associated with a project[**]. We could probably do a better
job of putting up warnings about this in obvious, discoverable
locations since even I had a hard time just now tracking down any
clear statement about the present state of these risks.
[*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
[**] https://launchpad.net/bugs/1933269
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230912/3ce889fd/attachment.sig>
More information about the openstack-discuss
mailing list