Regular users do not have access to 'admin' ID when creating ACLs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Won't Fix
|
Wishlist
|
Douglas Mendizábal |
Bug Description
In order for a regular tenant to create an ACL granting access to a secret to the admin user, the tenant would run a command like the following:
openstack acl user add -u <user_id> <secret_href>
However, the <user_id> in the above command is the UUID of the user to which we'd like to grant access, and regular cloud users do not have access to the UUID of the admin user:
$ source ~/devstack/openrc demo demo
$ openstack user show admin
You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-fe4e0959-
$ openstack user list
You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-10b4d620-
This is problematic, since in order for 3rd party services to work (like neutron-lbaas and octavia), the user must grant access to secrets they upload to the 'admin' user or some service user.
Granted, any given cloud operator could make their specific admin UUID known to any users who need to use these third party services; However it really seems like this is unnecessary extra work we are forcing users and operators to go through: We should provide a simple means for a regular non-privileged user to grant access to secrets they create to 'admin' and 'service'-type users.
This bug report is related to this one: https:/
Changed in barbican: | |
assignee: | nobody → Douglas Mendizábal (dougmendizabal) |
milestone: | none → pike-1 |
status: | New → Triaged |
admin have access to all resources, why do we need to explicitly give access to admin?