[Yahoo-eng-team] [Bug 968696] Re: "admin"-ness not properly scoped

Tue, 15 Dec 2015 06:12:17 -0800 

Reviewed:  https://review.openstack.org/240720
Committed: 
https://git.openstack.org/cgit/openstack/keystone/commit/?id=9804081a80ef815a86407a64f967986a7bf9ba25
Submitter: Jenkins
Branch:    master

commit 9804081a80ef815a86407a64f967986a7bf9ba25
Author: Adam Young <ayo...@redhat.com>
Date:   Sun Nov 1 11:55:45 2015 -0500

    Updated Cloudsample
    
    Uses configuration options to determine if a token is for the admin
    project and should be granted admin privileges.
    
    Closes-Bug: 968696
    
    Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/968696

Title:
  "admin"-ness not properly scoped

Status in Cinder:
  Fix Released
Status in Glance:
  New
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (keystone):
  Fix Released
Status in neutron:
  Triaged
Status in OpenStack Compute (nova):
  Confirmed
Status in puppet-keystone:
  New

Bug description:
  Fact: Keystone's rbac model grants roles to users on specific tenants,
  and post-keystone redux, there are no longer "global" roles.

  Problem: Granting a user an "admin" role on ANY tenant grants them
  unlimited "admin"-ness throughout the system because there is no
  differentiation between a scoped "admin"-ness and a global
  "admin"-ness.

  I don't have a specific solution to advocate, but being an admin on
  *any* tenant simply *cannot* allow you to administer all of keystone.

  Steps to reproduce (from Horizon, though you could do this with the
  CLI, too):

  1. User A (existing admin) creates Project B and User B.
  2. User A adds User B to Project B with the admin role on Project B.
  3. User B logs in and now has unlimited admin rights not only to view things 
in the dashboard, but to take actions like creating new projects and users, 
managing existing projects and users, etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/968696/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to