© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
closed this for nova as we dont plan to allow scoping admin ever.
the way to "fix this" currently based on the secure and consistent rbac community goal is i belive the manager role.
https:/
in yoga a direction shift happened https:/
that reinstated the global nature of a project-scoped admin token.
i.e by design a project socped toke with the admin role should be able to interact with any project scoped resources.
For Nova that means a project-scoped admin token should be able to list and delete any server in any project.
from my perspective the admin role by definition is and has been a global admin so this bug is not valid for nova based on that understanding. the manager role is not intended to have the same global nature.
by adopting it for previously admin only operation we can have a separate role for a limited admin capability that is scoped to one project or one domain
that does not mean the manager role should be able to do everything admin can do today.
a project manager should not be able to create flavors in nova for example as that would effect other project also but they should be able to live migrate an instance.