Open Stack

In the last couple days, a few troubling bugs have been uncovered using Horizon that point to a much deeper problem of "admin"-ness in Essex. First, the two most recent bugs:

1. https://bugs.launchpad.net/keystone/+bug/968696

Summary: having an admin role on any tenant gives you admin rights in all of Keystone.

2. https://bugs.launchpad.net/horizon/+bug/967882

Summary: Nova's API handles "admin"-scoped data vs. tenant-scoped data inconsistently.

In practice today, Keystone no longer has global roles, and RBAC implementation isn't fully there yet across the ecosystem. So projects have adopted inconsistent means of determining when and how to grant "admin"-level privileges to that user. This isn't something individual projects can decide, though. It has to be agreed upon and consistent.

I don't have a great solution for this problem since it's so very late in the Essex release cycle. However, I'm hoping we can perhaps do *something* other than to simply document that "users with admin-level permissions should only ever be granted admin permissions on a single admin tenant, and no other users should be granted an admin role anywhere."

All that said, I'm deeply concerned about the security implications of real deployments being unaware of the unintended consequences of granting what appears to be a scoped "admin" role.

I'd love to hear other thoughts on this.

    - Gabriel