Admin rbac filtering too lenient
Bug #1496464 reported by
Travis Tripp
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Searchlight |
Fix Released
|
High
|
Steve McLellan |
Bug Description
The current filtering is too lenient when admin scoped token is passed through the system.
This is resulting in an admin being scoped to a project, but still receiving results for all projects. We should allow passing a field such as all_projects or similar. If that isn't passed, then searchlight will still perform normal project scoped filtering.
Changed in searchlight: | |
milestone: | none → liberty-rc1 |
Changed in searchlight: | |
status: | Fix Committed → Fix Released |
Changed in searchlight: | |
milestone: | liberty-rc1 → 0.1.0.0 |
To post a comment you must log in.
A large part of what RBAC does is restrict to the tenant. 'admin' is logically equivalent to 'cloud admin' in the current implementation, so maybe we need to tidy up what we mean, or clearly delineate what a tenant admin can do versus an ordinary user can't (although i can't think of anything at the moment) versus a cloud admin.