Project admin gets treated as de-facto Admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
If an user is granted admin in a project it gets treated as de-facto admin in Cinder.
stack@ubnt-
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| enabled | True |
| id | c377dc4721c2444
| is_domain | False |
| name | priv-test |
| options | {} |
| parent_id | default |
| tags | [] |
+------
stack@ubnt-
+------
| Field | Value |
+------
| default_project_id | c377dc4721c2444
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 014365b2e2794a3
| name | privtest |
| options | {'ignore_
| password_expires_at | None |
+------
stack@ubnt-
stack@ubnt-
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| admin | privtest@Default | | priv-test@Default | | | False |
| service | designate@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| audit | project_
| admin | | admins@Default | admin@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| creator | project_
| key-manager:
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| member | demo@Default | | invisible_
| admin | barbican@Default | | service@Default | | | False |
| creator | project_
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | project_
| service | glance@Default | | service@Default | | | False |
| observer | project_
| admin | project_
| observer | project_
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| creator | project_
| audit | project_
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+------
NOTE that only role privtest has is admin in priv-test@Default project.
stack@ubnt-
+------
| Field | Value |
+------
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 5ef91cd7e9a946e
| name | demo |
| options | {} |
| password_expires_at | None |
+------
stack@ubnt-
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| enabled | True |
| id | 46117ada64914e7
| is_domain | False |
| name | demo |
| options | {} |
| parent_id | default |
| tags | [] |
+------
stack@ubnt-
+------
| Field | Value |
+------
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-06-
| description | None |
| encrypted | False |
| id | a6762551-
| multiattach | False |
| name | test-volume |
| properties | |
| replication_status | None |
| size | 2 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| type | lvmdriver-1 |
| updated_at | None |
| user_id | 5ef91cd7e9a946e
+------
stack@ubnt-
OS_REGION_
OS_PROJECT_
OS_CACERT=
OS_AUTH_URL=http://
OS_TENANT_
OS_USER_
OS_USERNAME=
OS_VOLUME_
OS_AUTH_
OS_PROJECT_
OS_PASSWORD=<SNIP>
OS_IDENTITY_
stack@ubnt-
stack@ubnt-
stack@ubnt-
+------
| Property | Value |
+------
| attached_servers | [] |
| attachment_ids | [] |
| availability_zone | nova |
| bootable | true |
| consistencygroup_id | None |
| created_at | 2021-06-
| description | None |
| encrypted | False |
| id | a6762551-
| metadata | |
| migration_status | None |
| multiattach | False |
| name | test-volume |
| os-vol-
| os-vol-
| os-vol-
| os-vol-
| replication_status | None |
| size | 4 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| updated_at | 2021-06-
| user_id | 5ef91cd7e9a946e
| volume_
| | container_format : bare |
| | disk_format : qcow2 |
| | hw_rng_model : virtio |
| | image_id : b1edae2e-
| | image_name : cirros-
| | min_disk : 0 |
| | min_ram : 0 |
| | owner_specified
| | owner_specified
| | owner_specified
| | signature_verified : False |
| | size : 16300544 |
| volume_type | lvmdriver-1 |
+------
information type: | Public Security → Public |
tags: | added: security |
Rejecting this as a bug because Cinder doesn't support scoped tokens yet. So the only way to be a cinder administrator is to have the 'admin' role. We suggest that people not give that role out prematurely to people who are not intended to be full administrators of cinder.
We're working on implementing scoped token recognition in Xena so that "personas" such as 'project admin' can be a thing. But at this point, it's not.