openstack team mailing list archive

Thread
Date

Re: "Admin"-ness in Keystone, Nova, et. al.

To: Jay Pipes <jaypipes@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Yee, Guang" <guang.yee@xxxxxx>
Date: Fri, 30 Mar 2012 19:59:45 +0000
Accept-language: en-US
In-reply-to: <4F75FC5A.4020808@gmail.com>
Thread-index: AQHNDppfrvRyD8HN3kinxMwQXi+2JpaDIvlQgAAG4QCAABd8UA==
Thread-topic: [Openstack] "Admin"-ness in Keystone, Nova, et. al.

I think the fat Keystone implemented this naming hack. But why place a constraint on the names (i.e. may not be i18n friend) where we can do it right at once?


Guang


-----Original Message-----
From: openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jay Pipes
Sent: Friday, March 30, 2012 11:33 AM
To: openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] "Admin"-ness in Keystone, Nova, et. al.

FWIW, it is possible in Glance to set the configuration option 
admin_role value to something other than "admin" -- for instance 
"glance:admin" -- to use a different role than "admin" to indicate a 
role that should only be able to admin Glance and not other endpoints.

https://github.com/openstack/glance/blob/master/etc/glance-api.conf#L33

Perhaps an immediate "solution" to this bug/feature request would be to 
add similar functionality to Keystone, Nova and Quantum?

Best,
-jay

On 03/30/2012 02:10 PM, Yee, Guang wrote:
> Does this look familiar? J
>
> https://bugs.launchpad.net/keystone/+bug/890411
>
> Guang
>
> *From:*openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx
> [mailto:openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx] *On
> Behalf Of *Andy Smith
> *Sent:* Friday, March 30, 2012 10:27 AM
> *To:* Julien Danjou
> *Cc:* openstack@xxxxxxxxxxxxxxxxxxx
> *Subject:* Re: [Openstack] "Admin"-ness in Keystone, Nova, etc
>
> Commented on the first bug.
>
> On Fri, Mar 30, 2012 at 7:41 AM, Julien Danjou
> <julien.danjou@xxxxxxxxxxxx <mailto:julien.danjou@xxxxxxxxxxxx>> wrote:
>
> On Fri, Mar 30 2012, Gabriel Hurley wrote:
>
>  > In practice today, Keystone no longer has global roles, and RBAC
>  > implementation isn't fully there yet across the ecosystem. So
> projects have
>  > adopted inconsistent means of determining when and how to grant
>  > "admin"-level privileges to that user. This isn't something individual
>  > projects can decide, though. It has to be agreed upon and consistent.
>  >
>  > I don't have a great solution for this problem since it's so very late in
>  > the Essex release cycle. However, I'm hoping we can perhaps do
> *something*
>  > other than to simply document that "users with admin-level permissions
>  > should only ever be granted admin permissions on a single admin
> tenant, and
>  > no other users should be granted an admin role anywhere."
>  >
>  > All that said, I'm deeply concerned about the security implications of
>  > real deployments being unaware of the unintended consequences of
>  > granting what appears to be a scoped "admin" role.
>
> Correct me if I'm wrong, but it seems to me that the problem is simply
> that the default policy used in keystone and nova says that "admin is
> anybody with role `admin' on any tenant", as you can see in their
> respective policy.json files.
>
> I think that this rule should probably be set to something else by
> default, like the user is admin if "it has role admin on a specific
> tenant (like a tenant named `admin')". Tthat would allow to emulate the
> old "global" admin role, just by using a specific tenant.
>
> --
> Julien Danjou
> // eNovance http://enovance.com
> // ✉julien.danjou@xxxxxxxxxxxx <mailto:julien.danjou@xxxxxxxxxxxx> ☎+33
> 1 49 70 99 81 <tel:%2B33%201%2049%2070%2099%2081>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow ups

Re: "Admin"-ness in Keystone, Nova, et. al.
From: Jay Pipes, 2012-03-30

References

"Admin"-ness in Keystone, Nova, et. al.
From: Gabriel Hurley, 2012-03-29
Re: "Admin"-ness in Keystone, Nova, et. al.
From: Julien Danjou, 2012-03-30
Re: "Admin"-ness in Keystone, Nova, et. al.
From: Andy Smith, 2012-03-30
Re: "Admin"-ness in Keystone, Nova, et. al.
From: Yee, Guang, 2012-03-30
Re: "Admin"-ness in Keystone, Nova, et. al.
From: Jay Pipes, 2012-03-30