The sudoers files as installed with OSP's openstack-tripleo-common package is much too permissive. It contains serveral lines for the mistral user that have wildcards that allow directory traversal with ".." and it grants full passwordless root access to the validations user.
Acknowledgments: Name: Garth Mollett (Red Hat)
Created openstack-tripleo-common tracking bugs for this issue: Affects: openstack-rdo [bug 1422281]