Hide Forgot
Description of problem: Fact: Keystone's rbac model grants roles to users on specific tenants, and post-keystone redux, there are no longer "global" roles. Problem: Granting a user an "admin" role on ANY tenant grants them unlimited "admin"-ness throughout the system because there is no differentiation between a scoped "admin"-ness and a global "admin"-ness. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Create a project named "dummy" 2. Grant a user "tester" the admin role on "dummy" 3. Get a token for the user "tester" scoped to project "dummy" 4. Use can perform all admin operations everywhere.
This is an issue across many components of OpenStack, but driven by Keystone, and requires changs for Oslo-Context as well as the policy enforcement for all the projects.
Re-assigning myself, current QE, and moving to NEW until we have a better idea of when the needed fixes will land upstream.
This BZ has been here for a while, as you can see in the Upstream bug: https://bugs.launchpad.net/keystone/+bug/968696 we have submitted multiple fixes related to that, but it's too much complex to consider that fixed for now, we're planning to keep working in the Policy approach to have this done in the next releases.
This is fixed upstream as of the Train release. All patches to address this issue landed before Train's release candidate. https://bugs.launchpad.net/keystone/+bug/968696/comments/146
Fixed as of train release. Any remaining work is being tracked in other BZs.