block non-admin user to grant admin role
Hello,
I want to create multi-domain environment. Domain admins will have role "DomainAdmin".
From keystone view: DomainAdmin have same rights as admin(done by "admin_required": "role:admin or role:DomainAdmin"
in policy.json
It was solved this way because other projects(like nova or neutron) doesn't care about domains and I don't want domain admins to be treated like global admins. This users should only have privileges to create projects&users in their own domain.
And all would be fine, but "DomainAdmin" can assign "admin" role to anyone which causes a high security risk.
Maybe someone know any way, to prevent this situation? I would be very grateful for any help