Public bug reported:
Any user with admin role in any project can perform random operation in any other domain and project, included 'Default'. For example deleting cinder volumes and nova instances. If I ask domain scoped token (as domain admin) from openstack cli or directly from keystone api via curl than I can not do operations outside of that particular domain - as expected. Everything behaves normally when domain admin concept is not used at all eg. there is one Default domain, one user with admin role and all other users in other domains are using _member_ role. Horizon and keystone are using policy from here: https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json Snippet from horizon local_settings.py ... # Path to directory containing policy.json files ROOT_PATH = '/etc/horizon/' POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") POLICY_FILES = { 'identity': 'keystone_policy.json', } ... Versions: horizon (12.0.2.dev6) keystone (12.0.1.dev6) keystoneauth1 (3.1.0) keystonemiddleware (4.17.0) python-keystoneclient (3.13.0) ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1741092 Title: project admin can delete everything in all domains Status in OpenStack Dashboard (Horizon): New Bug description: Any user with admin role in any project can perform random operation in any other domain and project, included 'Default'. For example deleting cinder volumes and nova instances. If I ask domain scoped token (as domain admin) from openstack cli or directly from keystone api via curl than I can not do operations outside of that particular domain - as expected. Everything behaves normally when domain admin concept is not used at all eg. there is one Default domain, one user with admin role and all other users in other domains are using _member_ role. Horizon and keystone are using policy from here: https://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json Snippet from horizon local_settings.py ... # Path to directory containing policy.json files ROOT_PATH = '/etc/horizon/' POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") POLICY_FILES = { 'identity': 'keystone_policy.json', } ... Versions: horizon (12.0.2.dev6) keystone (12.0.1.dev6) keystoneauth1 (3.1.0) keystonemiddleware (4.17.0) python-keystoneclient (3.13.0) To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1741092/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
