> Does Cinder actually document somehwere that any admin role gets treated as de-facto admin in Cinder?
We do, but I appreciate Erno bringing this up, because it would be good for the VMT to decide whether our docs are clear enough. We have this documented in at least 2 places:
Then, two items down:
rule: admin_api
default: is_admin:True or ( [0] )
description: Default rule for most Admin APIs.
[0] this is added by https://review.opendev.org/c/openstack/cinder/+/384642, which is the "Fix Released" in Bug #968696. In what sense that's a fix is a good question. I believe it was or'd so it wouldn't break existing deployments, and then people were supposed to move away from relying on context_is_admin and could adjust the policy file.
I'll address Erno's points in reverse order.
> Does Cinder actually document somehwere that any admin role gets treated as de-facto admin in Cinder?
We do, but I appreciate Erno bringing this up, because it would be good for the VMT to decide whether our docs are clear enough. We have this documented in at least 2 places:
(1) "Policy Configuration" /docs.openstack .org/cinder/ latest/ configuration/ block-storage/ policy. html
https:/
(This is a generated file.)
The very first item is:
rule: context_is_admin
default: role_admin
description: Decides what is required for the "is_admin:True" check to succeed
Then, two items down:
rule: admin_api
default: is_admin:True or ( [0] )
description: Default rule for most Admin APIs.
[0] this is added by https:/ /review. opendev. org/c/openstack /cinder/ +/384642, which is the "Fix Released" in Bug #968696. In what sense that's a fix is a good question. I believe it was or'd so it wouldn't break existing deployments, and then people were supposed to move away from relying on context_is_admin and could adjust the policy file.
Because the file is generated and will be changing during Xena development, here's a permalink to the relevant source code for the above: /opendev. org/openstack/ cinder/ src/commit/ f340058145f9473 b6cf2694e0620c2 ca8964b728/ cinder/ policies/ base.py# L79-L89
https:/
(2) "Policy configuration HowTo" /docs.openstack .org/cinder/ latest/ configuration/ block-storage/ policy- config- HOWTO.html# pre-defined- policy- rules
in particular, the section "Pre-Defined Policy Rules"
https:/
Gives an explanation of "context-is-admin".
Also note the introductory paragraphs of the "Example: Configuring a Read-Only Administrator" section (up to and including the "Warning" box).