yahoo-eng-team team mailing list archive

[Song Li <lisongbj@xxxxxxxxxx>]

Admin of one tenant can also create networks, routers and so on in other tenants, and take other actions. It might be a big risk for the security.
So I think it also affect the Neutron.

** Also affects: neutron
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/968696

Title:
  "admin"-ness not properly scoped

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (Keystone):
  Confirmed
Status in OpenStack Neutron (virtual network service):
  New
Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  Fact: Keystone's rbac model grants roles to users on specific tenants,
  and post-keystone redux, there are no longer "global" roles.

  Problem: Granting a user an "admin" role on ANY tenant grants them
  unlimited "admin"-ness throughout the system because there is no
  differentiation between a scoped "admin"-ness and a global
  "admin"-ness.

  I don't have a specific solution to advocate, but being an admin on
  *any* tenant simply *cannot* allow you to administer all of keystone.

  Steps to reproduce (from Horizon, though you could do this with the
  CLI, too):

  1. User A (existing admin) creates Project B and User B.
  2. User A adds User B to Project B with the admin role on Project B.
  3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/968696/+subscriptions