On 10/19/2015 12:39 PM, Neil Jerram wrote:
On 19/10/15 14:57, Adam Young wrote:
While I tend to play up bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.
In early iterations of OpenStack, roles were global. This is reflected
in many of the Policy checks that only look for the global role.
However, prior to the Keystone-Light rewrite, role assignments became
scoped to tenants. This shows up in the Keystone git history. As this
pattern got established, some people wrote policy checks that assert:
role==admin and tenant_id=resource.tenant_id
This contradicts the global-ness of the admin roles. If I assign
('joeuser', 'admin','mytenant') I've just granted them the ability to
perform all of the admin operations.
I'm afraid I'm not sure I follow. Do you mean all of the admin
operations on resources that are protected only by 'role==admin' ?
Yes, exactly. For example, Nova has such a call with "Hypervisors"
http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n159
An there is no clear project that this call can be scoped to.
Contrast this with update-quota which should be scoped to a project.
http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n175
Neil
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
