[Openstack-security] [Bug 1684320] Re: Domain admin has access to service Admin API with policy.v3cloudsample.json
Just to give a quick status update on the feature that will help fix
this. We do have the system-scope implementation going through review
now . We also have a series of patches to keystone (and some other
projects) that attempt to define the scope type for each
I've been tracking parts of this fix against bug 968696.
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
Domain admin has access to service Admin API with
Status in OpenStack Identity (keystone):
Status in OpenStack Security Advisory:
Keystone has a sample policy file to create a concept of domains per
customer, with a domain admin that manages users and tenants inside
In this policy, the domain admin role (a user who manages that domain)
would get the "admin" role assigned to them. However, with the
"admin" role assigned to them, they can make requests to the admin_api
(in this case, the Nova example).
I have done a fair bit of checking but I believe that a domain admin
can get full access to the admin_api (or be able to create a user with
an "admin" role and get access to the entire cloud). I believe this
affects all other projects and users of this policy would not be aware
at the level of access given to a domain admin.
Perhaps the file can be revised to use a role like "domain_admin" and
Keystone would have a setting of "reserved role names" which cannot be
used (e.g. block the role "admin" from being created in a domain).
Please forgive me in advance if this is not a security issue and a
lack of understanding (I hope it is), but I have done a fair amount of
research on this so far and it seems like getting access to that
`admin` role is an issue.
To manage notifications about this bug go to: