Ask Your Question

Revision history [back]

Since you are using V2.0 API , the answer is w.r.to V2.0 . Role defintion is global and role assignment is project specific

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

That is how v2 works. "admin" is global admin (similar to root user). What you are looking is something like "project_admin" which is an admin only for project and this concept is not possible with keystone v2 api. With keystone v3 api it is possible, but you need to change all the services authorizaton policy file to add this role.

In V2, either you can do anything acorss all the servies via "admin" role assignments , or can't do anything useful/

Since you are using V2.0 API , the answer is w.r.to V2.0 . Role defintion is global and role assignment is project specific

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

That is how v2 works. "admin" is global admin (similar to root user). What you are looking is something like "project_admin" which is an admin only for project and this concept is not possible with keystone v2 api. With keystone v3 api it is possible, but you need to change all the services authorizaton policy file to add this role.

In V2, either you can do anything everything acorss all the servies via "admin" role assignments , or can't do anything useful/

Since you are using V2.0 API , the answer is w.r.to V2.0 . Role defintion is global and role assignment is project specific

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

That is how v2 works. "admin" is global admin (similar to root user). What you are looking is something like "project_admin" which is an admin only for project and this concept is not possible with keystone v2 api. With keystone v3 api it is possible, but you need to change all the services authorizaton policy file to add this role.

In V2, either you can do everything acorss all the servies via "admin" role assignments , or can't do anything useful/

Update 1: Yes. No special meaning. All the services requires a service tenant to talk to keystone. They need a admin or service role on that tenant. All the services for some reason forgot about "service" role and keep on using "admin" role. So if you create a tenant say "MyTenant" and assign to it either "admin" or "service" role and change the service configuration file ( nova.conf/swift.conf etc) to use this tenant, everythng will work. That is for service to keystone interaction. Most of the operation on a service require a user with "admin" role on any tenant. As long as you have any user who has "admin" role in any tenant, you can do any operation on a service

Since you are using V2.0 API , the answer is w.r.to V2.0 . Role defintion is global and role assignment is project specific

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

That is how v2 works. "admin" is global admin (similar to root user). What you are looking is something like "project_admin" which is an admin only for project and this concept is not possible with keystone v2 api. With keystone v3 api it is possible, but you need to change all the services authorizaton policy file to add this role.

In V2, either you can do everything acorss all the servies via "admin" role assignments , or can't do anything useful/

Update 1: 1:

Yes. No special meaning. All the services requires a service tenant to talk to keystone. They need a admin or service role on that tenant. All the services for some reason forgot about "service" role and keep on using "admin" role. So if you create a tenant say "MyTenant" and assign to it either "admin" or "service" role and change the service configuration file ( nova.conf/swift.conf etc) to use this tenant, everythng will work. That is for service to keystone interaction. Most of the operation on a service require a user with "admin" role on any tenant. As long as you have any user who has "admin" role in any tenant, you can do any operation on a service