Domain admin can access entities out of scope

asked 2017-08-11 00:09:40 -0600

pdreker gravatar image

I am trying to get Multi Domain Authentication to work. My Stack is fully operational aside from Domains and has been deployed using kolla-ansible (ocata).

I want to be able to create domains (for customers), who can then create their own projects, users and so on, without being able to see other domains. If I read the documentation correctly, that is the purpose of domains.

So I do the following: Create a domain, create a user in that domain, create an admin project in the domain and assign admin roles to the user in that project and the domain:

openstack domain create domain01
openstack user create --password secret --domain domain01 domain01_admin
openstack role add --user domain01_admin --domain domain01 admin
openstack project create --domain domain01 domain01_admin_project
openstack role add --project domain01_admin_project --user domain01_admin

I already have a network defined from the the default domain in the admin project, which provides outside connectivity to the instances. When I now log in as the domain01_admin user using the following openrc file, I can happily modify the global network.

export OS_PROJECT_NAME=domain01_admin_project
export OS_PROJECT_DOMAIN_NAME=domain01
export OS_USER_DOMAIN_NAME=domain01
export OS_USERNAME=domain01_admin
export OS_PASSWORD=secret
export OS_AUTH_URL=
export OS_INTERFACE=internal

Executing openstack network set --disable lab succeeds, which is totally unexpected and would allow domain admins to actually take down outside connectivity for all instances.

I have found these Keystone Bugs on Launchpad (sorry, not enough Karma for actual Links...) https:// and https:// which seem related, but I cannot tell, if this is still the case or expected behaviour.

It seems like giving someone the admin role in a domain makes them admin on the full OpenStack setup (The problem does not seem to be limited to networks, the domain admin can also list all volumes outisde his domain and so on...)

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2017-08-11 04:07:52 -0600

ppeereb1 gravatar image

Do you have the v3 cloud policy on your controllers? ( . We're a bit struggeling with domains aswell so we still have it on default.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2017-08-10 10:12:44 -0600

Seen: 895 times

Last updated: Aug 11 '17