** Changed in: keystone
Milestone: None => train-rc1
** Changed in: keystone
Status: In Progress => Fix Committed
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/968696
Title:
"admin"-ness not properly scoped
Status in Cinder:
Fix Released
Status in Glance:
In Progress
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Identity (keystone):
Fix Released
Status in neutron:
Triaged
Status in OpenStack Compute (nova):
In Progress
Status in puppet-keystone:
New
Bug description:
Fact: Keystone's rbac model grants roles to users on specific tenants,
and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them
unlimited "admin"-ness throughout the system because there is no
differentiation between a scoped "admin"-ness and a global
"admin"-ness.
I don't have a specific solution to advocate, but being an admin on
*any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon, though you could do this with the
CLI, too):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things
in the dashboard, but to take actions like creating new projects and users,
managing existing projects and users, etc.
Note: See changes ongoing under
https://bugs.launchpad.net/neutron/+bug/1602081 which is required before
policy changes can enforce.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/968696/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
