All users with the admin role are cloud admins
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Neutron API Charm |
Fix Released
|
Critical
|
Liam Young |
Bug Description
If a user is given the admin role against any project or domain then neutron interprets this as the user having global admin rights. To reproduce this run the first set of commands as cloud admin to set up a new domain, project and user. Then grant admin to the user over the new project. Create a network as the cloud admin user. Finally switch to the new user and disable the cloud admins network:
openstack domain create --or-show --enable bug-domain
openstack project create --or-show --enable --domain bug-domain bug-project
openstack user create --or-show --enable --domain bug-domain \
openstack role add --user-domain bug-domain --user bug-user \
openstack network create cloudadmin-
openstack network show cloudadmin-
source unset_all
env | grep OS_
openstack --os-region-name RegionOne --os-auth-url http://
openstack --os-region-name RegionOne --os-auth-url http://
-c admin_state_up -f value
(Output can be seen here: https:/
This appears to be due to the default policy.json that ships with the neutron server.
I think this can be fixed by updating the policy.json and changing the context_is_admin rule from:
"context_is_admin": "role:admin",
to
"context_is_admin": "role:admin and is_admin_
Changed in charm-neutron-api: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in charm-neutron-api: | |
assignee: | nobody → Liam Young (gnuoy) |
status: | Confirmed → Triaged |
Changed in charm-neutron-api: | |
status: | Triaged → In Progress |
Changed in charm-neutron-api: | |
milestone: | none → 19.07 |
Changed in charm-neutron-api: | |
status: | Fix Committed → Fix Released |
Related bugs: /bugs.launchpad .net/keystone/ +bug/968696 /bugs.launchpad .net/glance/ +bug/1602081
https:/
https:/