On 19/10/15 14:57, Adam Young wrote: > While I tend to play up bug 968696 for dramatic effect, the reality is > we have a logical contradiction on what we mean by 'admin' when talking > about RBAC. > > In early iterations of OpenStack, roles were global. This is reflected > in many of the Policy checks that only look for the global role. > However, prior to the Keystone-Light rewrite, role assignments became > scoped to tenants. This shows up in the Keystone git history. As this > pattern got established, some people wrote policy checks that assert: > > role==admin and tenant_id=resource.tenant_id > > This contradicts the global-ness of the admin roles. If I assign > ('joeuser', 'admin','mytenant') I've just granted them the ability to > perform all of the admin operations.
I'm afraid I'm not sure I follow. Do you mean all of the admin operations on resources that are protected only by 'role==admin' ? Neil __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev