User with reader role can perform similar operation as other roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
Openstack Release: Zed (openstack deployed using openstack-helm)
OS: Ubuntu 22.04.2 LTS (Jammy)
Reader role in openstack can perform all the operations similar to member role. It looks like it has similar permissions as member role.
I tried to assign reader role to one of the newly created user and assign it to some project where some other member role user was also a part of it. I created Instance using member role and tried to delete it using reader role user which I managed to delete it. This is not only for instances reader role can also modify other openstack resources as well such as networks, volumes...etc
Reader role should only have limited access just to monitor the resources. It should not modify them.
I have also tried to add [oslo_policy] enforce_
I have attached nova policy file for reference.
Is there any specific policy configuration needed or some changes in the code of nova and keystone ?
description: | updated |