Bug 1385031

Summary: "admin"-ness not properly scoped
Product: Red Hat OpenStack Reporter: Adam Young <ayoung>
Component: openstack-keystoneAssignee: Harry Rybacki <hrybacki>
Status: CLOSED CURRENTRELEASE QA Contact: Pavan <pkesavar>
Severity: high Docs Contact:
Priority: high    
Version: 9.0 (Mitaka)CC: alee, hrybacki, lbragsta, nkinder, rmascena, srevivo
Target Milestone: zstreamKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-19 18:11:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Young 2016-10-14 15:11:56 UTC
Description of problem:

Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles.

Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness.

Version-Release number of selected component (if applicable):


How reproducible:

100%

Steps to Reproduce:
1. Create a project named "dummy"
2. Grant a user "tester" the admin role on "dummy"
3. Get a token for the user "tester" scoped to project "dummy"
4. Use can perform all admin operations everywhere.

Comment 1 Adam Young 2016-10-14 15:13:08 UTC
This is an  issue across many components of OpenStack, but driven by Keystone, and requires changs for Oslo-Context as well as the policy enforcement for all the projects.

Comment 2 Harry Rybacki 2018-11-06 18:18:00 UTC
Re-assigning myself, current QE, and moving to NEW until we have a better idea of when the needed fixes will land upstream.

Comment 7 Raildo Mascena de Sousa Filho 2019-07-16 14:02:59 UTC
This BZ has been here for a while, as you can see in the Upstream bug: https://bugs.launchpad.net/keystone/+bug/968696 we have submitted multiple fixes related to that, but it's too much complex to consider that fixed for now, we're planning to keep working in the Policy approach to have this done in the next releases.

Comment 8 Lance Bragstad 2019-09-30 14:01:43 UTC
This is fixed upstream as of the Train release. All patches to address this issue landed before Train's release candidate.

https://bugs.launchpad.net/keystone/+bug/968696/comments/146

Comment 9 Ade Lee 2020-03-19 18:11:22 UTC
Fixed as of train release.  Any remaining work is being tracked in other BZs.