When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.
Hi,
When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https:/ /bugs.launchpad .net/keystone/ +bug/1915193.
In that bug https:/ /bugs.launchpad .net/keystone/ +bug/1915193/ comments/ 3 points to a enforce_ new_defaults config value which is availabe in nova https:/ /docs.openstack .org/nova/ latest/ configuration/ sample- config. html.
Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https:/ /paste. ubuntu. com/p/NSgfGSmvJ z/ the script to run these tests can be found at: https:/ /private- fileshare. canonical. com/~pjds/ nova-compute- kvm-tests/ run_dsv_ openstack_ tests.sh
Thanks,
Peter