OpenStack Identity (keystone)

How to restrict adding users in projects from different domains/regions ?

Bug #1897593 reported by Rajiv Mucheli on 2020-09-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

Hi Team,

I able to add users or Technical users in projects from different domains, i dont think this is a default feature ? or is it ? if yes, can we restrict users from being added from different domains/regions ?

The keystone policy.json is present here https://github.com/sapcc/helm-charts/blob/master/openstack/keystone/templates/etc/_policy.json.tpl

The command used to add users from different domain is :

openstack role add --project <project_id> --user <user_id> <role_id>

Do we need to harden the policy wrt :

"identity:create_role": "rule:cloud_admin",

"identity:update_role": "rule:cloud_admin",

Debug logs show : HTTP PUT is being used:

PUT call to identity for <AUTH_URL>/v3/projects/<project_id>/users/<user_id>/roles/<role_id> used

Regards,
Rajiv

Tags:

Revision history for this message

Rajiv Mucheli (rajiv.mucheli) wrote on 2020-10-27:

any update here ?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.