yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2004031] Re: User with admin_required in a non cloud_admin domain/project can manage other domains with admin_required permissions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: James Page <2004031@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Jan 2023 16:08:11 -0000
Reply-to: Bug 2004031 <2004031@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Please can you provide full details of your deployment; specifically
which charms and channels you are using and on which base version of
Ubuntu.

** Project changed: keystone => charm-keystone

** Changed in: charm-keystone
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2004031

Title:
  User with admin_required in a non cloud_admin domain/project can
  manage other domains with admin_required permissions

Status in OpenStack Keystone Charm:
  Incomplete

Bug description:
  In a deployment of Openstack Yoga, I have the following policy.json
  configured in Keystone: https://paste.ubuntu.com/p/F2PMP857mG/.

  When I create a new domain, a project inside that domain, a user with
  the role:Admin, and I set the context for that user/project/domain for
  the CLI, I can perform actions like list and delete instances, images,
  networks and routers created in the cloud_admin domain
  domain_id:703118433996472d82713a3100b07432 and cloud_admin project
  project_id:16264684b58747cba04a98c128f5044f.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone/+bug/2004031/+subscriptions

References

[Bug 2004031] [NEW] User with admin_required in a non cloud_admin domain/project can manage other domains with admin_required permissions
From: Juan Pablo Noreña, 2023-01-27