Domain aware policy should restrict certain operations to cloud admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Nathan Kinder |
Bug Description
The domain aware policy that is provided as a part of keystone (policy.
cloud admin - responsible for overall cloud management
domain admin - responsible for management within a domain
project admin/owner - responsible for management of a project
There are some APIs that should be restricted to the cloud admin, but they are currently allowed to any user with the "admin" role that is defined at any scope, such as the administrator of a project. Some examples are the region and federation APIs:
-------
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
"identity:
-------
Changed in keystone: | |
assignee: | nobody → Nathan Kinder (nkinder) |
summary: |
- Domain aware policy shoule restrict certain operations to cloud admin + Domain aware policy should restrict certain operations to cloud admin |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → kilo-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
tags: | added: juno-backport-potential |
Fix proposed to branch: master /review. openstack. org/128788
Review: https:/