2012-03-29 23:02:07 |
Gabriel Hurley |
bug |
|
|
added bug |
2012-03-29 23:02:33 |
Gabriel Hurley |
summary |
"admin"-ness not propoerly scoped |
"admin"-ness not properly scoped |
|
2012-03-29 23:02:42 |
Gabriel Hurley |
description |
Fact: Keystone's rbac model correlates grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc. |
Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc. |
|
2012-03-29 23:03:23 |
Gabriel Hurley |
description |
Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc. |
Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon, though you could do this with the CLI, too):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc. |
|
2012-03-29 23:04:34 |
Joseph Heck |
bug task added |
|
nova |
|
2012-03-29 23:04:52 |
Joseph Heck |
bug task added |
|
horizon |
|
2012-03-29 23:13:58 |
Gabriel Hurley |
horizon: importance |
Undecided |
Critical |
|
2012-03-29 23:14:03 |
Gabriel Hurley |
horizon: assignee |
|
Gabriel Hurley (gabriel-hurley) |
|
2012-03-29 23:14:08 |
Gabriel Hurley |
horizon: status |
New |
Confirmed |
|
2012-03-30 00:53:45 |
Dolph Mathews |
keystone: status |
New |
Confirmed |
|
2012-03-30 12:56:53 |
Brian Lamar |
bug |
|
|
added subscriber Brian Lamar |
2012-04-13 22:24:04 |
Mark Maglana |
bug |
|
|
added subscriber Mark |
2012-05-02 20:08:07 |
Ding Deng |
bug |
|
|
added subscriber Ding Deng |
2012-06-07 02:13:30 |
Tom Fifield |
nova: status |
New |
Confirmed |
|
2012-06-07 09:45:46 |
Thierry Carrez |
bug task deleted |
nova |
|
|
2012-06-07 16:20:00 |
Joseph Heck |
keystone: importance |
Undecided |
Low |
|
2012-06-13 23:05:57 |
Gabriel Hurley |
bug task added |
|
nova |
|
2012-06-15 00:51:12 |
Gabriel Hurley |
horizon: milestone |
|
folsom-2 |
|
2012-06-15 00:52:48 |
OpenStack Infra |
horizon: status |
Confirmed |
In Progress |
|
2012-06-19 00:07:46 |
Boris Devouge |
bug |
|
|
added subscriber Boris Devouge |
2012-06-19 00:09:35 |
Boris Devouge |
bug |
|
|
added subscriber bG0209 |
2012-06-21 22:24:32 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Committed |
|
2012-07-04 08:33:05 |
Thierry Carrez |
horizon: status |
Fix Committed |
Fix Released |
|
2012-08-16 20:47:09 |
Vish Ishaya |
nova: status |
New |
Fix Committed |
|
2012-08-16 20:47:18 |
Vish Ishaya |
nova: milestone |
|
folsom-3 |
|
2012-08-16 20:47:25 |
Vish Ishaya |
nova: importance |
Undecided |
High |
|
2012-08-16 20:47:35 |
Vish Ishaya |
nova: assignee |
|
Jake Dahn (jakedahn) |
|
2012-08-16 21:06:43 |
Thierry Carrez |
nova: status |
Fix Committed |
Fix Released |
|
2012-09-27 14:56:18 |
Thierry Carrez |
horizon: milestone |
folsom-2 |
2012.2 |
|
2012-09-27 15:25:19 |
Thierry Carrez |
nova: milestone |
folsom-3 |
2012.2 |
|
2013-08-12 17:59:09 |
Juliano Ciocari |
bug |
|
|
added subscriber Juliano Ciocari |
2013-08-29 23:46:49 |
Dolph Mathews |
keystone: importance |
Low |
High |
|
2013-10-07 17:06:58 |
Adam Young |
keystone: assignee |
|
Adam Young (ayoung) |
|
2013-12-02 17:17:51 |
Arvind Tiwari |
bug |
|
|
added subscriber Arvind Tiwari |
2013-12-04 18:19:50 |
David Chadwick |
bug |
|
|
added subscriber David Chadwick |
2013-12-13 06:28:51 |
Rui Chen |
bug |
|
|
added subscriber ruichen |
2014-02-13 12:00:19 |
Vincent Untz |
bug |
|
|
added subscriber Vincent Untz |
2014-04-09 03:18:41 |
Prashanth Rao |
bug |
|
|
added subscriber Prashanth Rao |
2014-05-07 13:10:12 |
Kévin Bernard-Allies |
bug |
|
|
added subscriber Kévin Bernard-Allies |
2014-05-15 02:52:40 |
Yang Zhang |
bug |
|
|
added subscriber Yang Zhang |
2014-06-16 09:27:03 |
Ramon Acedo |
bug |
|
|
added subscriber Ramon Acedo |
2014-10-13 15:35:03 |
Enrique Garcia Navalon |
bug |
|
|
added subscriber Enrique Garcia Navalon |
2014-11-13 13:25:50 |
Dakol |
bug |
|
|
added subscriber Dakol |
2014-12-17 08:59:43 |
Song Li |
bug task added |
|
neutron |
|
2014-12-17 09:00:45 |
Song Li |
bug |
|
|
added subscriber Song Li |
2014-12-19 10:36:37 |
Dr. Jens Harbott |
bug |
|
|
added subscriber Dr. Jens Rosenboom |
2014-12-22 11:33:01 |
Eugene Nikanorov |
neutron: status |
New |
Incomplete |
|
2015-03-28 11:45:26 |
Tom Verdaat |
bug |
|
|
added subscriber Tom Verdaat |
2015-04-15 13:30:04 |
Filip Hubík |
bug |
|
|
added subscriber Filip Hubík |
2015-05-09 02:11:33 |
Adam Heczko |
bug |
|
|
added subscriber Adam Heczko |
2015-05-18 18:45:44 |
Joe Savak |
bug |
|
|
added subscriber Joe Savak |
2015-05-29 23:38:05 |
Mark Russell |
bug |
|
|
added subscriber Mark Russell |
2015-06-23 06:02:00 |
Pradeep Naik |
bug |
|
|
added subscriber Pradeep |
2015-06-23 18:46:27 |
Eric Brown |
bug |
|
|
added subscriber Eric Brown |
2015-06-25 02:21:49 |
Shuichiro MAKIGAKI |
bug |
|
|
added subscriber Shuichiro MAKIGAKI |
2015-07-23 16:00:15 |
Thierry Carrez |
nova: status |
Fix Released |
Confirmed |
|
2015-07-23 16:00:23 |
Thierry Carrez |
nova: milestone |
2012.2 |
|
|
2015-07-23 16:00:29 |
Thierry Carrez |
nova: assignee |
Jake Dahn (jakedahn) |
|
|
2015-07-24 17:23:03 |
Adam Young |
bug task added |
|
glance |
|
2015-07-24 17:23:17 |
Adam Young |
bug task added |
|
cinder |
|
2015-08-08 12:46:26 |
gustavo panizzo |
bug |
|
|
added subscriber gustavo panizzo |
2015-08-15 11:56:43 |
Brent Roskos |
cinder: status |
New |
In Progress |
|
2015-08-15 11:56:43 |
Brent Roskos |
cinder: assignee |
|
Brent Roskos (broskos) |
|
2015-08-18 02:19:08 |
Rochelle Grober |
bug |
|
|
added subscriber Rochelle Grober |
2015-08-27 11:36:05 |
OpenStack Infra |
cinder: status |
In Progress |
Fix Committed |
|
2015-09-03 14:44:20 |
Thierry Carrez |
cinder: status |
Fix Committed |
Fix Released |
|
2015-09-03 14:44:20 |
Thierry Carrez |
cinder: milestone |
|
liberty-3 |
|
2015-09-16 08:41:54 |
Markus Zoeller (markus_z) |
tags |
|
keystone rbac |
|
2015-10-06 06:10:57 |
Robert van Leeuwen |
bug |
|
|
added subscriber Robert van Leeuwen |
2015-10-12 03:19:07 |
OpenStack Infra |
keystone: status |
Confirmed |
In Progress |
|
2015-10-15 00:10:37 |
Matthew Edmonds |
bug |
|
|
added subscriber Matthew Edmonds |
2015-10-15 11:50:38 |
Thierry Carrez |
cinder: milestone |
liberty-3 |
7.0.0 |
|
2015-11-02 21:05:05 |
Richard Megginson |
bug task added |
|
puppet-keystone |
|
2015-11-02 21:14:06 |
Kyle Mestery |
neutron: assignee |
|
Kevin Benton (kevinbenton) |
|
2015-11-02 21:14:11 |
Kyle Mestery |
neutron: status |
Incomplete |
Triaged |
|
2015-11-04 08:33:02 |
s2007202759 |
bug |
|
|
added subscriber s2007202759 |
2015-11-20 09:43:55 |
Kevin Benton |
tags |
keystone rbac |
keystone |
|
2015-11-20 09:44:51 |
Kevin Benton |
neutron: assignee |
Kevin Benton (kevinbenton) |
|
|
2015-12-10 18:10:02 |
Adam Young |
puppet-keystone: assignee |
|
Adam Young (ayoung) |
|
2015-12-15 01:57:56 |
Steve Martinelli |
keystone: milestone |
|
mitaka-2 |
|
2015-12-15 14:01:45 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
2016-01-12 16:36:09 |
Ian Cordasco |
glance: status |
New |
Triaged |
|
2016-01-12 16:36:16 |
Ian Cordasco |
glance: importance |
Undecided |
High |
|
2016-02-19 21:04:48 |
Sean Dague |
nova: importance |
High |
Wishlist |
|
2016-03-21 14:21:07 |
Attila Fazekas |
bug |
|
|
added subscriber Attila Fazekas |
2016-04-13 14:13:13 |
Oku |
bug |
|
|
added subscriber Oku |
2016-04-19 07:39:22 |
Sharat Sharma |
glance: assignee |
|
Sharat Sharma (sharat-sharma) |
|
2016-04-19 07:39:40 |
Sharat Sharma |
glance: status |
Triaged |
In Progress |
|
2016-04-19 07:51:57 |
Sharat Sharma |
nova: status |
Confirmed |
In Progress |
|
2016-04-19 07:52:04 |
Sharat Sharma |
nova: assignee |
|
Sharat Sharma (sharat-sharma) |
|
2016-07-07 05:50:24 |
Maurice Escher |
bug |
|
|
added subscriber Maurice Schreiber |
2016-09-30 04:00:43 |
Adam Young |
description |
Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon, though you could do this with the CLI, too):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc. |
Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.
Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.
I don't have a specific solution to advocate, but being an admin on *any* tenant simply *cannot* allow you to administer all of keystone.
Steps to reproduce (from Horizon, though you could do this with the CLI, too):
1. User A (existing admin) creates Project B and User B.
2. User A adds User B to Project B with the admin role on Project B.
3. User B logs in and now has unlimited admin rights not only to view things in the dashboard, but to take actions like creating new projects and users, managing existing projects and users, etc.
Note: See changes ongoing under https://bugs.launchpad.net/neutron/+bug/1602081 which is required before policy changes can enforce. |
|
2016-09-30 04:01:21 |
Adam Young |
nova: status |
In Progress |
Confirmed |
|
2016-10-09 03:13:02 |
OpenStack Infra |
nova: status |
Confirmed |
In Progress |
|
2016-10-09 03:13:02 |
OpenStack Infra |
nova: assignee |
Sharat Sharma (sharat-sharma) |
Adam Young (ayoung) |
|
2016-10-10 19:37:59 |
Adam Young |
cinder: assignee |
Brent Roskos (broskos) |
Adam Young (ayoung) |
|
2016-10-10 19:38:17 |
Adam Young |
glance: assignee |
Sharat Sharma (sharat-sharma) |
Adam Young (ayoung) |
|
2016-10-10 19:38:25 |
Adam Young |
neutron: assignee |
|
Adam Young (ayoung) |
|
2016-10-11 02:58:15 |
Adam Young |
keystone: status |
Fix Released |
In Progress |
|
2016-10-11 14:42:18 |
Lance Bragstad |
keystone: milestone |
mitaka-2 |
|
|
2016-10-13 20:56:31 |
OpenStack Infra |
nova: assignee |
Adam Young (ayoung) |
Matthew Edmonds (edmondsw) |
|
2016-10-14 14:48:21 |
Adam Young |
nova: assignee |
Matthew Edmonds (edmondsw) |
Adam Young (ayoung) |
|
2016-10-14 14:50:36 |
Marco Voelz |
bug |
|
|
added subscriber Marco Voelz |
2016-10-14 19:43:14 |
OpenStack Infra |
nova: assignee |
Adam Young (ayoung) |
Matthew Edmonds (edmondsw) |
|
2016-10-18 02:00:33 |
OpenStack Infra |
nova: assignee |
Matthew Edmonds (edmondsw) |
Adam Young (ayoung) |
|
2016-11-15 22:13:35 |
OpenStack Infra |
keystone: assignee |
Adam Young (ayoung) |
Matthew Edmonds (edmondsw) |
|
2016-12-02 04:17:01 |
OpenStack Infra |
keystone: assignee |
Matthew Edmonds (edmondsw) |
Adam Young (ayoung) |
|
2017-02-21 16:22:24 |
Pas |
bug |
|
|
added subscriber Pas |
2017-03-01 21:42:02 |
Marc Heckmann |
attachment added |
|
patch tp _populate_is_admin_project https://bugs.launchpad.net/keystone/+bug/968696/+attachment/4829321/+files/_populate_is_admin_project.patch |
|
2017-03-01 21:58:25 |
Marc Heckmann |
attachment added |
|
neutron_req_context.patch https://bugs.launchpad.net/keystone/+bug/968696/+attachment/4829332/+files/neutron_req_context.patch |
|
2017-04-11 22:39:21 |
Nate |
bug |
|
|
added subscriber Nate |
2017-04-22 08:43:52 |
Shuichiro MAKIGAKI |
removed subscriber Shuichiro MAKIGAKI |
|
|
|
2017-05-01 11:43:56 |
Tom Verdaat |
removed subscriber Tom Verdaat |
|
|
|
2017-05-11 14:46:35 |
OpenStack Infra |
keystone: assignee |
Adam Young (ayoung) |
Gage Hugo (gagehugo) |
|
2017-05-12 05:32:48 |
José Pekkarinen |
bug |
|
|
added subscriber José Pekkarinen |
2017-05-16 16:09:24 |
OpenStack Infra |
nova: assignee |
Adam Young (ayoung) |
Gage Hugo (gagehugo) |
|
2017-05-19 19:08:17 |
OpenStack Infra |
keystone: assignee |
Gage Hugo (gagehugo) |
Adam Young (ayoung) |
|
2017-05-25 20:00:00 |
Marc Heckmann |
bug |
|
|
added subscriber Marc Heckmann |
2017-06-06 01:17:30 |
Adam Young |
glance: assignee |
Adam Young (ayoung) |
|
|
2017-06-06 01:17:35 |
Adam Young |
cinder: assignee |
Adam Young (ayoung) |
|
|
2017-06-06 01:17:42 |
Adam Young |
neutron: assignee |
Adam Young (ayoung) |
|
|
2017-06-06 01:17:48 |
Adam Young |
keystone: assignee |
Adam Young (ayoung) |
|
|
2017-06-06 01:17:55 |
Adam Young |
puppet-keystone: assignee |
Adam Young (ayoung) |
|
|
2017-06-06 07:27:10 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2017-06-27 18:31:22 |
OpenStack Infra |
keystone: assignee |
|
Gage Hugo (gagehugo) |
|
2017-08-16 19:22:46 |
OpenStack Infra |
keystone: assignee |
Gage Hugo (gagehugo) |
Adam Young (ayoung) |
|
2017-08-16 19:45:02 |
OpenStack Infra |
keystone: assignee |
Adam Young (ayoung) |
Lance Bragstad (lbragstad) |
|
2017-09-25 19:54:18 |
OpenStack Infra |
keystone: assignee |
Lance Bragstad (lbragstad) |
Adam Young (ayoung) |
|
2017-09-25 19:55:21 |
OpenStack Infra |
nova: assignee |
Gage Hugo (gagehugo) |
Adam Young (ayoung) |
|
2017-10-31 16:36:20 |
Adam Young |
keystone: assignee |
Adam Young (ayoung) |
|
|
2017-10-31 16:39:42 |
Adam Young |
nova: assignee |
Adam Young (ayoung) |
|
|
2017-11-16 22:35:55 |
OpenStack Infra |
nova: assignee |
|
Adam Young (ayoung) |
|
2017-11-17 00:01:04 |
OpenStack Infra |
keystone: assignee |
|
Adam Young (ayoung) |
|
2017-12-05 21:57:48 |
OpenStack Infra |
nova: assignee |
Adam Young (ayoung) |
Lance Bragstad (lbragstad) |
|
2018-01-15 16:36:47 |
Thomas Kaergel |
bug |
|
|
added subscriber Thomas Kaergel |
2018-03-09 16:16:48 |
Yeeling Lam |
bug |
|
|
added subscriber Yeeling Lam |
2018-03-27 02:12:35 |
Dmitrii Shcherbakov |
bug |
|
|
added subscriber Dmitrii Shcherbakov |
2018-05-22 17:57:29 |
Sandor Zeestraten |
bug |
|
|
added subscriber Sandor Zeestraten |
2018-08-16 18:45:14 |
zxiiro |
bug |
|
|
added subscriber zxiiro |
2018-08-22 14:09:39 |
Fairbanks. |
bug |
|
|
added subscriber Fairbanks. |
2018-08-24 21:12:58 |
OpenStack Infra |
keystone: assignee |
Adam Young (ayoung) |
Lance Bragstad (lbragstad) |
|
2018-10-19 08:43:28 |
Uemit Seren |
bug |
|
|
added subscriber Uemit Seren |
2018-12-11 08:43:29 |
Fairbanks. |
removed subscriber Fairbanks. |
|
|
|
2018-12-13 12:47:24 |
Lukas Stehlik |
bug |
|
|
added subscriber Lukas Stehlik |
2018-12-24 11:36:42 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
2019-02-08 10:03:49 |
Nick Edwards |
bug |
|
|
added subscriber Nick Edwards |
2019-03-24 20:38:46 |
OpenStack Infra |
keystone: assignee |
Lance Bragstad (lbragstad) |
Colleen Murphy (krinkle) |
|
2019-03-26 16:27:24 |
OpenStack Infra |
tags |
keystone |
in-stable-stein keystone |
|
2019-03-29 09:58:27 |
Kamil |
bug |
|
|
added subscriber Kamil |
2019-04-02 15:11:47 |
Yiorgos Stamoulis |
bug |
|
|
added subscriber Yiorgos Stamoulis |
2019-05-28 22:45:40 |
Rodolfo |
bug |
|
|
added subscriber Rodolfo |
2019-09-27 08:13:13 |
alexbarchiesi |
bug |
|
|
added subscriber alexbarchiesi |
2019-09-30 13:07:43 |
Lance Bragstad |
keystone: milestone |
|
train-rc1 |
|
2019-09-30 13:08:03 |
Lance Bragstad |
keystone: status |
In Progress |
Fix Committed |
|
2019-09-30 13:08:55 |
Lance Bragstad |
keystone: status |
Fix Committed |
Fix Released |
|
2020-02-24 08:54:20 |
Ding Deng |
removed subscriber Ding Deng |
|
|
|
2021-05-04 17:20:15 |
Adam Young |
neutron: status |
Triaged |
Fix Committed |
|
2021-05-04 17:21:07 |
Adam Young |
nova: status |
In Progress |
Fix Committed |
|
2021-05-04 17:25:09 |
Adam Young |
puppet-keystone: status |
New |
Invalid |
|
2021-05-05 07:43:03 |
Kamil |
removed subscriber Kamil |
|
|
|
2021-08-24 15:39:22 |
Rene Soto |
bug |
|
|
added subscriber Rene Soto |
2022-04-04 08:24:30 |
Ralf Heiringhoff |
bug |
|
|
added subscriber Ralf Heiringhoff |
2022-10-20 08:28:41 |
Rodolfo Alonso |
neutron: status |
Fix Committed |
Fix Released |
|
2023-03-23 02:06:35 |
Adam Young |
nova: status |
Fix Committed |
Confirmed |
|
2023-03-23 02:08:21 |
Adam Young |
nova: assignee |
Lance Bragstad (lbragstad) |
|
|
2023-03-24 12:56:00 |
Adam Young |
keystone: status |
Fix Released |
Confirmed |
|
2024-05-17 11:04:38 |
sean mooney |
nova: status |
Confirmed |
Won't Fix |
|