yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1741092] [NEW] project admin can delete everything in all domains

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: HT <1741092@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Jan 2018 17:45:38 -0000
Reply-to: Bug 1741092 <1741092@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:


Any user with admin role in any project can perform random operation in any other domain and project, included 'Default'. For example deleting cinder volumes and nova instances.
If I ask domain scoped token (as domain admin) from openstack cli or directly from keystone api via curl than I can not do operations outside of that particular domain - as expected.

Everything behaves normally when domain admin concept is not used at all
eg. there is one Default domain, one user with admin role and all other
users in other domains are using _member_ role.

Horizon and keystone are using policy from here:
https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json

Snippet from horizon local_settings.py
...
# Path to directory containing policy.json files
ROOT_PATH = '/etc/horizon/'
POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
POLICY_FILES = {
    'identity': 'keystone_policy.json',
}
...


Versions:
horizon (12.0.2.dev6)
keystone (12.0.1.dev6)
keystoneauth1 (3.1.0)
keystonemiddleware (4.17.0)
python-keystoneclient (3.13.0)

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1741092

Title:
  project admin can delete everything in all domains

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  
  Any user with admin role in any project can perform random operation in any other domain and project, included 'Default'. For example deleting cinder volumes and nova instances.
  If I ask domain scoped token (as domain admin) from openstack cli or directly from keystone api via curl than I can not do operations outside of that particular domain - as expected.

  Everything behaves normally when domain admin concept is not used at
  all eg. there is one Default domain, one user with admin role and all
  other users in other domains are using _member_ role.

  Horizon and keystone are using policy from here:
  https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json

  Snippet from horizon local_settings.py
  ...
  # Path to directory containing policy.json files
  ROOT_PATH = '/etc/horizon/'
  POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
  POLICY_FILES = {
      'identity': 'keystone_policy.json',
  }
  ...

  
  Versions:
  horizon (12.0.2.dev6)
  keystone (12.0.1.dev6)
  keystoneauth1 (3.1.0)
  keystonemiddleware (4.17.0)
  python-keystoneclient (3.13.0)

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1741092/+subscriptions