Cinder ignores reader role conventions in default policies

Bug #1917795 reported by Lance Bragstad
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Cinder
New
Medium
Unassigned

Bug Description

In keystone, if I grant someone the reader role on a project [0], they're able to make writable changes in cinder.

Opening this bug to track work for cinder to consume keystone's default read-only `reader` role.

[0] $ openstack --os-cloud devstack-system-admin role add --user alice --user-domain default --project foobar --project-domain default reader

Changed in cinder:
importance: Undecided → Medium
tags: added: keystone rbac reader role
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder-tempest-plugin (master)

Change abandoned by "Luigi Toscano <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/778357
Reason: The scope of protection/RBAC test changed a bit over time, and other changes addressed and will address the use case of this review in a slightly different way. See for example https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/878672 and other related changes

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.