[Openstack] "Admin"-ness in Keystone, Nova, et. al.

Andy Smith andyster at gmail.com
Fri Mar 30 17:27:25 UTC 2012


Commented on the first bug.

On Fri, Mar 30, 2012 at 7:41 AM, Julien Danjou
<julien.danjou at enovance.com>wrote:

> On Fri, Mar 30 2012, Gabriel Hurley wrote:
>
> > In practice today, Keystone no longer has global roles, and RBAC
> > implementation isn't fully there yet across the ecosystem. So projects
> have
> > adopted inconsistent means of determining when and how to grant
> > "admin"-level privileges to that user. This isn't something individual
> > projects can decide, though. It has to be agreed upon and consistent.
> >
> > I don't have a great solution for this problem since it's so very late in
> > the Essex release cycle. However, I'm hoping we can perhaps do
> *something*
> > other than to simply document that "users with admin-level permissions
> > should only ever be granted admin permissions on a single admin tenant,
> and
> > no other users should be granted an admin role anywhere."
> >
> > All that said, I'm deeply concerned about the security implications of
> > real deployments being unaware of the unintended consequences of
> > granting what appears to be a scoped "admin" role.
>
> Correct me if I'm wrong, but it seems to me that the problem is simply
> that the default policy used in keystone and nova says that "admin is
> anybody with role `admin' on any tenant", as you can see in their
> respective policy.json files.
>
> I think that this rule should probably be set to something else by
> default, like the user is admin if "it has role admin on a specific
> tenant (like a tenant named `admin')". Tthat would allow to emulate the
> old "global" admin role, just by using a specific tenant.
>
> --
> Julien Danjou
> // eNovance                      http://enovance.com
> // ✉ julien.danjou at enovance.com  ☎ +33 1 49 70 99 81
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120330/34d78755/attachment.html>


More information about the Openstack mailing list