yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1897593] [NEW] How to restrict adding users in projects from different domains/regions ?

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rajiv Mucheli <1897593@xxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Sep 2020 15:14:31 -0000
Reply-to: Bug 1897593 <1897593@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Hi Team,

I able to add users or Technical users in projects from different
domains, i dont think this is a default feature ? or is it ? if yes, can
we restrict users from being added from different domains/regions ?

The keystone policy.json is present here https://github.com/sapcc/helm-
charts/blob/master/openstack/keystone/templates/etc/_policy.json.tpl

The command used to add users from different domain is :

openstack role add --project <project_id> --user <user_id> <role_id>


Do we need to harden the policy wrt :

    "identity:create_role": "rule:cloud_admin",

or

    "identity:update_role": "rule:cloud_admin",

Debug logs show : HTTP PUT is being used:

PUT call to identity for
<AUTH_URL>/v3/projects/<project_id>/users/<user_id>/roles/<role_id> used

Regards,
Rajiv

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: api-ref policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1897593

Title:
  How to restrict adding users in projects from different
  domains/regions  ?

Status in OpenStack Identity (keystone):
  New

Bug description:
  Hi Team,

  I able to add users or Technical users in projects from different
  domains, i dont think this is a default feature ? or is it ? if yes,
  can we restrict users from being added from different domains/regions
  ?

  The keystone policy.json is present here https://github.com/sapcc
  /helm-
  charts/blob/master/openstack/keystone/templates/etc/_policy.json.tpl

  The command used to add users from different domain is :

  openstack role add --project <project_id> --user <user_id> <role_id>

  
  Do we need to harden the policy wrt :

      "identity:create_role": "rule:cloud_admin",

  or

      "identity:update_role": "rule:cloud_admin",

  Debug logs show : HTTP PUT is being used:

  PUT call to identity for
  <AUTH_URL>/v3/projects/<project_id>/users/<user_id>/roles/<role_id>
  used

  Regards,
  Rajiv

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1897593/+subscriptions