admin role can't delete other tenants stacks
Bug #1466694 reported by
Sam Morrison
This bug affects 10 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
Medium
|
Rabi Mishra |
Bug Description
With the admin role you can't show or delete or do anything with other tenants stacks.
I see multiple places where this is prevented in the API level and in the DB level.
Changed in heat: | |
assignee: | nobody → Rico Lin (rico-lin) |
Changed in heat: | |
assignee: | Kairat Kushaev (kkushaev) → nobody |
Changed in heat: | |
assignee: | Steven Hardy (shardy) → Rabi Mishra (rabi) |
Changed in heat: | |
milestone: | none → newton-1 |
Changed in heat: | |
milestone: | newton-1 → newton-2 |
Changed in heat: | |
status: | In Progress → Triaged |
Changed in heat: | |
milestone: | newton-2 → newton-3 |
Changed in heat: | |
status: | Triaged → Fix Released |
To post a comment you must log in.
IIUC, The RBAC designed to prevents any non authorized actions. Admin role should not get access right from another project which it not fully authorized with. It's true that current admin role by default still been consider as overall administrator cross all projects, but it's not the best authorization design, and will be improved some day.
IMO, if you try to show or delete stacks from one tenant, then just give yourself the rights from that tenant and do what ever you can.