OpenStack Identity (keystone)

User with reader role has same permissions as with member role

Bug #1915193 reported by Tomas Stodulka
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Undecided
Unassigned

Bug Description

Default role reader doesn't meet its expectations from https://docs.openstack.org/keystone/ussuri/admin/service-api-protection.html , For example: "users with reader on a project could list instance, users with member on a project can list and create instances".

Actual results:
In my case, reader can create/delete instances or also routers, networks,...

Expected results:
 Users with reader role should only list the mentioned resources and don't touch the virtual infrastructure.

Environment:
 Centos 8.2.2004
 OpenStack release: Ussuri, deployed using kolla-ansible

Is there anything additional, that needs to be done for setup reader role? My policies of Keystone and Neutron are attached.

Revision history for this message
Tomas Stodulka (xstodu07) wrote :
Revision history for this message
Tomas Stodulka (xstodu07) wrote :
Revision history for this message
Margarita Shakhova (shakhova-margarita) wrote :

You need to provide configuration parameters, for example, in case of nova it should be [oslo_policy] enforce_new_defaults = True

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.