Public bug reported: Hi Team,
I able to add users or Technical users in projects from different domains, i dont think this is a default feature ? or is it ? if yes, can we restrict users from being added from different domains/regions ? The keystone policy.json is present here https://github.com/sapcc/helm- charts/blob/master/openstack/keystone/templates/etc/_policy.json.tpl The command used to add users from different domain is : openstack role add --project <project_id> --user <user_id> <role_id> Do we need to harden the policy wrt : "identity:create_role": "rule:cloud_admin", or "identity:update_role": "rule:cloud_admin", Debug logs show : HTTP PUT is being used: PUT call to identity for <AUTH_URL>/v3/projects/<project_id>/users/<user_id>/roles/<role_id> used Regards, Rajiv ** Affects: keystone Importance: Undecided Status: New ** Tags: api-ref policy -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1897593 Title: How to restrict adding users in projects from different domains/regions ? Status in OpenStack Identity (keystone): New Bug description: Hi Team, I able to add users or Technical users in projects from different domains, i dont think this is a default feature ? or is it ? if yes, can we restrict users from being added from different domains/regions ? The keystone policy.json is present here https://github.com/sapcc /helm- charts/blob/master/openstack/keystone/templates/etc/_policy.json.tpl The command used to add users from different domain is : openstack role add --project <project_id> --user <user_id> <role_id> Do we need to harden the policy wrt : "identity:create_role": "rule:cloud_admin", or "identity:update_role": "rule:cloud_admin", Debug logs show : HTTP PUT is being used: PUT call to identity for <AUTH_URL>/v3/projects/<project_id>/users/<user_id>/roles/<role_id> used Regards, Rajiv To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1897593/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
