This has been sort of "by [lazy] design" for a *long* time, but obviously it's a shortcoming not documented loudly enough. Having the "admin" role on any tenant/project grants you root of openstack, so to speak.
The core issue is that we're overloading the explicit role assignment in the magical case of 'admin', because we don't have any other way to express service-level authorization. So, not only does policy apply the role on the per-project (as specified), but because it's the magical "admin", it's applied globally as well.
We've had a looong running discussion about the best way to provide a long term solution; there's a pile of blueprints and mailing list threads but none have ever gained significant community support. IMO, the shortest path to a solution would be something like this:
Which would provide explicit service-level authorization (e.g. "admin on nova" vs "admin on project X", and project-specific role assignments would no longer be applied globally.
++ this is a "dupe" of https:/ /bugs.launchpad .net/keystone/ +bug/968696
This has been sort of "by [lazy] design" for a *long* time, but obviously it's a shortcoming not documented loudly enough. Having the "admin" role on any tenant/project grants you root of openstack, so to speak.
The core issue is that we're overloading the explicit role assignment in the magical case of 'admin', because we don't have any other way to express service-level authorization. So, not only does policy apply the role on the per-project (as specified), but because it's the magical "admin", it's applied globally as well.
We've had a looong running discussion about the best way to provide a long term solution; there's a pile of blueprints and mailing list threads but none have ever gained significant community support. IMO, the shortest path to a solution would be something like this:
https:/ /blueprints. launchpad. net/keystone/ +spec/service- scoped- tokens
Which would provide explicit service-level authorization (e.g. "admin on nova" vs "admin on project X", and project-specific role assignments would no longer be applied globally.