"admin"-ness not properly scoped
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Undecided
|
Unassigned | ||
Glance |
In Progress
|
High
|
Unassigned | ||
OpenStack Compute (nova) |
Won't Fix
|
Wishlist
|
Unassigned | ||
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Gabriel Hurley | ||
OpenStack Identity (keystone) |
Confirmed
|
High
|
Colleen Murphy | ||
neutron |
Fix Released
|
Undecided
|
Unassigned | ||
puppet-keystone |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon, though you could do this with the CLI, too):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc.
Note: See changes ongoing under https:/
summary: |
- "admin"-ness not propoerly scoped + "admin"-ness not properly scoped |
description: | updated |
description: | updated |
Changed in horizon: | |
importance: | Undecided → Critical |
assignee: | nobody → Gabriel Hurley (gabriel-hurley) |
status: | New → Confirmed |
Changed in nova: | |
status: | New → Confirmed |
Changed in horizon: | |
milestone: | none → folsom-2 |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | folsom-2 → 2012.2 |
Changed in nova: | |
milestone: | folsom-3 → 2012.2 |
Changed in nova: | |
status: | Fix Released → Confirmed |
milestone: | 2012.2 → none |
assignee: | Jake Dahn (jakedahn) → nobody |
Changed in cinder: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
tags: | added: keystone rbac |
Changed in cinder: | |
milestone: | liberty-3 → 7.0.0 |
Changed in puppet-keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
milestone: | none → mitaka-2 |
Changed in glance: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in glance: | |
assignee: | nobody → Sharat Sharma (sharat-sharma) |
status: | Triaged → In Progress |
Changed in nova: | |
status: | Confirmed → In Progress |
assignee: | nobody → Sharat Sharma (sharat-sharma) |
Changed in cinder: | |
assignee: | Brent Roskos (broskos) → Adam Young (ayoung) |
Changed in glance: | |
assignee: | Sharat Sharma (sharat-sharma) → Adam Young (ayoung) |
Changed in neutron: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in nova: | |
assignee: | Adam Young (ayoung) → Matthew Edmonds (edmondsw) |
Changed in nova: | |
assignee: | Matthew Edmonds (edmondsw) → Adam Young (ayoung) |
Changed in nova: | |
assignee: | Adam Young (ayoung) → Matthew Edmonds (edmondsw) |
Changed in nova: | |
assignee: | Matthew Edmonds (edmondsw) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Matthew Edmonds (edmondsw) |
Changed in keystone: | |
assignee: | Matthew Edmonds (edmondsw) → Adam Young (ayoung) |
Changed in nova: | |
assignee: | Adam Young (ayoung) → Gage Hugo (gagehugo) |
Changed in keystone: | |
assignee: | Gage Hugo (gagehugo) → Adam Young (ayoung) |
Changed in glance: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in cinder: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in neutron: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in puppet-keystone: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in keystone: | |
assignee: | nobody → Gage Hugo (gagehugo) |
Changed in keystone: | |
assignee: | Gage Hugo (gagehugo) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Lance Bragstad (lbragstad) |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Adam Young (ayoung) |
Changed in nova: | |
assignee: | Gage Hugo (gagehugo) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in nova: | |
assignee: | Adam Young (ayoung) → nobody |
Changed in nova: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Lance Bragstad (lbragstad) |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Colleen Murphy (krinkle) |
Changed in keystone: | |
milestone: | none → train-rc1 |
status: | In Progress → Fix Committed |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
status: | Triaged → Fix Committed |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in puppet-keystone: | |
status: | New → Invalid |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
status: | Confirmed → Won't Fix |
To clarify steps 1 & 2, I read this as two *different* relationships being created between User B and Project B.
First, User B is created with a default tenant of Project B. <-- This behaves as expected.
Second, User B is explicitly granted the admin role on Project B. <-- This take effect globally, regardless.
In terms of the keystone CLI, this looks like:
keystone tenant-create --name=project-b
keystone user-create --name=user-b --pass=secret --tenant_id=<tenant id of project b>
keystone user-role-add --user=<user id of user b> --role=<role id of admin role> --tenant_id=<tenant id of project b>
After creating User B, I then confirmed the bug by authenticating as User B for Project B, and then successfully listing all users and tenants in the system, and then subsequently deleting User A and Project A.