[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[keystone]How to prevent adding admin-role?

Tagging with keystone for visibility.

On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
> Hi!
> I am trying to create â??domain adminâ?? role which has permissions to 
> create projects and users, and manage user roles in projects within own 
> domain. I have pretty ok working set of policies done, but there is one 
> critical security hole: domain admin can add â??adminâ?? role to user, and 
> after it user has superuser privileges. Is there any possibility to 
> limit domain admin rights to give only _/member/_ roles?

I suspect the answer may be no, unfortunately. This is one of the 
longstanding limitations with roles - admin means admin of everything. 
There's work underway to improve that, but I think the policy system in 
Queens just wasn't designed for this sort of use case.

That said, I'm not positive this is exactly the same scenario that 
people generally have trouble with, so hopefully a keystone person can 
chime in with a more definitive answer.

> I am working in Queens-based Redhat OSP13.
> Tavasti, Openstack admin
> For Internal Use Only