Rocky keystone: admin role on project is too permissive

asked 2019-02-15 13:27:23 -0600

Mike B gravatar image

updated 2019-02-18 16:09:48 -0600

Hello all,

I have noticed that keystone does not properly restrict access to users that are granted the admin role on a project in a domain. I have read through (this) bug report, which seems to describe this issue, but I am still not clear as to why I am getting the following behaviour:

# Create domain
openstack domain create --enable dom1

# Create project in the new domain
openstack project create --domain dom1 --enable project1

# Create user belonging to dom1 and project1
openstack user create --domain dom1 --project project1 --project-domain dom1 --password <password> --enable usr1

# Add the 'admin' role to 'user1' for 'project1'
openstack role add --project project1 --user usr1 --project-domain dom1 --user-domain dom1 admin

# After sourcing the credentials for usr1 (v3 credentials, project scoped, downloaded via horizon interface) I can now, successfully, run the following
openstack domain list

The relevant sections of keystone's policy file are as follows:

"cloud_admin": "role:admin and (is_admin_project:True or domain_id:default)",
"identity:list_domains": "rule:cloud_admin",

As I understand it this means that users may only list domains if they are the cloud_admin, which entails having an admin role and either having is_admin_project set to true ('admin_project_name' is unset in keystone.conf) or the domain_id of the request set to 'default'.

The user does have the admin role for the given project, but it is not an admin project nor is the domain 'default'; and yet the user is able to list domains!

Is this expected behaviour? Is keystone defaulting to the default domain for some reason when using project scoped credentials? I tried setting all of the domain related options of the 'openstack' command to point to dom1 to no avail.

Lastly, when giving usr1 the 'admin' role on dom1 but not project1 (and unsetting OS_PROJECT_ID and OS_PROJECT_NAME) I get the desired behaviour in that I cannot list domains (no longer cloud_admin) but I can list services etc (admin role).

Update (2/18/2019):

Testing using latest devstack shows that the property 'is_admin_project' defaults to true if admin_project_domain_name and admin_project_domain_name are not specified in keystone.conf. This seemed to have been the case before Rocky, but because of the recent token overhaul my understanding was that the default behavior should be (false). Perhaps I am mistaken?

The domain_id:default check still does not seem to do anything, it is always false no matter what I set it to and with what credentials I perform an API request with.

edit retag flag offensive close merge delete