← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #91162

[Bug 2004031] [NEW] User with admin_required in a non cloud_admin domain/project can manage other domains with admin_required permissions

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In a deployment of Openstack Yoga, I have the following policy.json
configured in Keystone: https://paste.ubuntu.com/p/F2PMP857mG/.

When I create a new domain, a project inside that domain, a user with
the role:Admin, and I set the context for that user/project/domain for
the CLI, I can perform actions like list and delete instances, images,
networks and routers created in the cloud_admin domain
domain_id:703118433996472d82713a3100b07432 and cloud_admin project
project_id:16264684b58747cba04a98c128f5044f.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2004031

Title:
  User with admin_required in a non cloud_admin domain/project can
  manage other domains with admin_required permissions

Status in OpenStack Identity (keystone):
  New

Bug description:
  In a deployment of Openstack Yoga, I have the following policy.json
  configured in Keystone: https://paste.ubuntu.com/p/F2PMP857mG/.

  When I create a new domain, a project inside that domain, a user with
  the role:Admin, and I set the context for that user/project/domain for
  the CLI, I can perform actions like list and delete instances, images,
  networks and routers created in the cloud_admin domain
  domain_id:703118433996472d82713a3100b07432 and cloud_admin project
  project_id:16264684b58747cba04a98c128f5044f.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2004031/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next