While I agree this should be fixed, it's not a security bug but how the initial version of authorization was implemented.
In the Diablo and Essex releases of OpenStack, Admin was effectively global and not per-tenant or per-service. That's the entire reason of adding in domains to Keystone, and behind the idea of unifying the role names (which are installation-global) to match up with local service policy.json files. (i.e. move to "nova-admin", "glance-admin", etc instead of a single "admin")
If you want a role that's a global admin, you can still use "admin" and create associated policy.json files that respect that identifier.
While I agree this should be fixed, it's not a security bug but how the initial version of authorization was implemented.
In the Diablo and Essex releases of OpenStack, Admin was effectively global and not per-tenant or per-service. That's the entire reason of adding in domains to Keystone, and behind the idea of unifying the role names (which are installation- global) to match up with local service policy.json files. (i.e. move to "nova-admin", "glance-admin", etc instead of a single "admin")
If you want a role that's a global admin, you can still use "admin" and create associated policy.json files that respect that identifier.