Public bug reported:
Default role reader doesn't meet its expectations from
https://docs.openstack.org/keystone/ussuri/admin/service-api-
protection.html , For example: "users with reader on a project could
list instance, users with member on a project can list and create
instances".
Actual results:
In my case, reader can create/delete instances or also routers, networks,...
Expected results:
Users with reader role should only list the mentioned resources and don't
touch the virtual infrastructure.
Environment:
Centos 8.2.2004
OpenStack release: Ussuri, deployed using kolla-ansible
Is there anything additional, that needs to be done for setup reader role? My
policies of Keystone and Neutron are attached.
** Affects: keystone
Importance: Undecided
Status: New
** Attachment added: "keystone-policy.yaml"
https://bugs.launchpad.net/bugs/1915193/+attachment/5461952/+files/keystone-policy.yaml
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1915193
Title:
User with reader role has same permissions as with member role
Status in OpenStack Identity (keystone):
New
Bug description:
Default role reader doesn't meet its expectations from
https://docs.openstack.org/keystone/ussuri/admin/service-api-
protection.html , For example: "users with reader on a project could
list instance, users with member on a project can list and create
instances".
Actual results:
In my case, reader can create/delete instances or also routers, networks,...
Expected results:
Users with reader role should only list the mentioned resources and don't
touch the virtual infrastructure.
Environment:
Centos 8.2.2004
OpenStack release: Ussuri, deployed using kolla-ansible
Is there anything additional, that needs to be done for setup reader role? My
policies of Keystone and Neutron are attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1915193/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
