Comment 5 for bug 1933332

I'll address Erno's points in reverse order.

> Does Cinder actually document somehwere that any admin role gets treated as de-facto admin in Cinder?

We do, but I appreciate Erno bringing this up, because it would be good for the VMT to decide whether our docs are clear enough. We have this documented in at least 2 places:

(1) "Policy Configuration"
https://docs.openstack.org/cinder/latest/configuration/block-storage/policy.html
(This is a generated file.)
The very first item is:
rule: context_is_admin
default: role_admin
description: Decides what is required for the "is_admin:True" check to succeed

Then, two items down:
rule: admin_api
default: is_admin:True or ( [0] )
description: Default rule for most Admin APIs.

[0] this is added by https://review.opendev.org/c/openstack/cinder/+/384642, which is the "Fix Released" in Bug #968696. In what sense that's a fix is a good question. I believe it was or'd so it wouldn't break existing deployments, and then people were supposed to move away from relying on context_is_admin and could adjust the policy file.

Because the file is generated and will be changing during Xena development, here's a permalink to the relevant source code for the above:
https://opendev.org/openstack/cinder/src/commit/f340058145f9473b6cf2694e0620c2ca8964b728/cinder/policies/base.py#L79-L89

(2) "Policy configuration HowTo"
in particular, the section "Pre-Defined Policy Rules"
https://docs.openstack.org/cinder/latest/configuration/block-storage/policy-config-HOWTO.html#pre-defined-policy-rules
Gives an explanation of "context-is-admin".
Also note the introductory paragraphs of the "Example: Configuring a Read-Only Administrator" section (up to and including the "Warning" box).