If an user is granted admin in a project it gets treated as de-facto admin in Cinder.
stack@ubnt-devstack:~/devstack$ openstack project create --enable priv-test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | c377dc4721c244429e49a52245bc4b35 |
| is_domain | False |
| name | priv-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack user create --project priv-test --password <SNIP> --email <email address hidden> --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id | c377dc4721c244429e49a52245bc4b35 |
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 014365b2e2794a35afa0110122ed8755 |
| name | privtest |
| options | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None |
+---------------------+-------------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role add --project priv-test --user privtest admin
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+---------------------------+-----------------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+---------------------------+-----------------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | privtest@Default | | priv-test@Default | | | False |
| service | designate@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| audit | project_a_auditor@Default | | project_a@Default | | | False |
| admin | | admins@Default | admin@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| creator | project_a_creator_2@Default | | project_a@Default | | | False |
| key-manager:service-admin | service-admin@Default | | service@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| admin | barbican@Default | | service@Default | | | False |
| creator | project_b_creator@Default | | project_b@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | project_a_admin@Default | | project_a@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| observer | project_a_observer@Default | | project_a@Default | | | False |
| admin | project_b_admin@Default | | project_b@Default | | | False |
| observer | project_b_observer@Default | | project_b@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| creator | project_a_creator@Default | | project_a@Default | | | False |
| audit | project_b_auditor@Default | | project_b@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+---------------------------+-----------------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE that only role privtest has is admin in priv-test@Default project.
stack@ubnt-devstack:~/devstack$ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 5ef91cd7e9a946e0b37fd9db3111955a |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack project show demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 46117ada64914e75939330ddfa14af6c |
| is_domain | False |
| name | demo |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack volume create --image b1edae2e-8a84-4c49-8034-afc9f6845505 --size 2 --availability-zone nova test-volume
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-06-23T11:29:43.401592 |
| description | None |
| encrypted | False |
| id | a6762551-8e4b-4b1b-ac1a-6d3303509e6c |
| multiattach | False |
| name | test-volume |
| properties | |
| replication_status | None |
| size | 2 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| type | lvmdriver-1 |
| updated_at | None |
| user_id | 5ef91cd7e9a946e0b37fd9db3111955a |
+---------------------+--------------------------------------+
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=priv-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=priv-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3
stack@ubnt-devstack:~/devstack$ openstack volume set a6762551-8e4b-4b1b-ac1a-6d3303509e6c --size 4
stack@ubnt-devstack:~/devstack$
stack@ubnt-devstack:~/devstack$ cinder show a6762551-8e4b-4b1b-ac1a-6d3303509e6c
+--------------------------------+--------------------------------------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------------------------------------+
| attached_servers | [] |
| attachment_ids | [] |
| availability_zone | nova |
| bootable | true |
| consistencygroup_id | None |
| created_at | 2021-06-23T11:29:43.000000 |
| description | None |
| encrypted | False |
| id | a6762551-8e4b-4b1b-ac1a-6d3303509e6c |
| metadata | |
| migration_status | None |
| multiattach | False |
| name | test-volume |
| os-vol-host-attr:host | ubnt-devstack@lvmdriver-1#lvmdriver-1 |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | 46117ada64914e75939330ddfa14af6c |
| replication_status | None |
| size | 4 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| updated_at | 2021-06-23T11:33:12.000000 |
| user_id | 5ef91cd7e9a946e0b37fd9db3111955a |
| volume_image_metadata | checksum : b874c39491a2377b8490f5f1e89761a4 |
| | container_format : bare |
| | disk_format : qcow2 |
| | hw_rng_model : virtio |
| | image_id : b1edae2e-8a84-4c49-8034-afc9f6845505 |
| | image_name : cirros-0.5.2-x86_64-disk |
| | min_disk : 0 |
| | min_ram : 0 |
| | owner_specified.openstack.md5 : |
| | owner_specified.openstack.object : images/cirros-0.5.2-x86_64-disk |
| | owner_specified.openstack.sha256 : |
| | signature_verified : False |
| | size : 16300544 |
| volume_type | lvmdriver-1 |
+--------------------------------+--------------------------------------------------------------------+
Rejecting this as a bug because Cinder doesn't support scoped tokens yet. So the only way to be a cinder administrator is to have the 'admin' role. We suggest that people not give that role out prematurely to people who are not intended to be full administrators of cinder.
We're working on implementing scoped token recognition in Xena so that "personas" such as 'project admin' can be a thing. But at this point, it's not.