Open Stack

On 2023-09-11 21:02:06 -0500 (-0500), James Leong wrote:
> I am currently having a yoga version openstack. I noticed that
> user from a domain are able to view other domain leases if they
> are having admin role. Is there any possible way to change
> anything in the policy file? I have tried to add rule:owner but it
> didn't work out the way I wanted. Any recommendations would be
> appreciated.

What specifically were you trying to accomplish by granting admin
access to a domain user? While Keystone (the identity management
service) does have a concept of domain and project administrators
separate from system administrators, not all services in OpenStack
have implemented consistent support for this differentiation.

There is a community-wide goal[*] in progress to bring more
consistency to the RBAC implementation across services, but until
that is completed there are services where, for historical reasons,
the "admin" role means full service administrator access even if
it's associated with a project[**]. We could probably do a better
job of putting up warnings about this in obvious, discoverable
locations since even I had a hard time just now tracking down any
clear statement about the present state of these risks.

[*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
[**] https://launchpad.net/bugs/1933269
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230912/3ce889fd/attachment.sig>