← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #85117

[Bug 1915193] [NEW] User with reader role has same permissions as with member role

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Default role reader doesn't meet its expectations from
https://docs.openstack.org/keystone/ussuri/admin/service-api-
protection.html , For example: "users with reader on a project could
list instance, users with member on a project can list and create
instances".

Actual results:
In my case, reader can create/delete instances or also routers, networks,...

Expected results:
 Users with reader role should only list the mentioned resources and don't touch the virtual infrastructure.

Environment:
 Centos 8.2.2004
 OpenStack release: Ussuri, deployed using kolla-ansible


Is there anything additional, that needs to be done for setup reader role? My policies of Keystone and Neutron are attached.

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "keystone-policy.yaml"
   https://bugs.launchpad.net/bugs/1915193/+attachment/5461952/+files/keystone-policy.yaml

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1915193

Title:
  User with reader role has same permissions as with member role

Status in OpenStack Identity (keystone):
  New

Bug description:
  Default role reader doesn't meet its expectations from
  https://docs.openstack.org/keystone/ussuri/admin/service-api-
  protection.html , For example: "users with reader on a project could
  list instance, users with member on a project can list and create
  instances".

  Actual results:
  In my case, reader can create/delete instances or also routers, networks,...

  Expected results:
   Users with reader role should only list the mentioned resources and don't touch the virtual infrastructure.

  Environment:
   Centos 8.2.2004
   OpenStack release: Ussuri, deployed using kolla-ansible

  
  Is there anything additional, that needs to be done for setup reader role? My policies of Keystone and Neutron are attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1915193/+subscriptions
  Thread PreviousDate PreviousThread Next