Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Domain admin can access entities out of scope

I am trying to get Multi Domain Authentication to work. My Stack is fully operational aside from Domains and has been deployed using kolla-ansible (ocata).

I want to be able to create domains (for customers), who can then create their own projects, users and so on, without being able to see other domains. If I read the documentation correctly, that is the purpose of domains.

So I do the following: Create a domain, create a user in that domain, create an admin project in the domain and assign admin roles to the user in that project and the domain:

openstack domain create domain01
openstack user create --password secret --domain domain01 domain01_admin
openstack role add --user domain01_admin --domain domain01 admin
openstack project create --domain domain01 domain01_admin_project
openstack role add --project domain01_admin_project --user domain01_admin

I already have a network defined from the the default domain in the admin project, which provides outside connectivity to the instances. When I now log in as the domain01_admin user using the following openrc file, I can happily modify the global network.

openrc.sh:

export OS_PROJECT_NAME=domain01_admin_project
export OS_PROJECT_DOMAIN_NAME=domain01
export OS_USER_DOMAIN_NAME=domain01
export OS_USERNAME=domain01_admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://10.10.0.120:35357/v3
export OS_INTERFACE=internal
export OS_IDENTITY_API_VERSION=3

Executing openstack network set --disable lab succeeds, which is totally unexpected and would allow domain admins to actually take down outside connectivity for all instances.

I have found these Keystone Bugs on Launchpad (sorry, not enough Karma for actual Links...) https:// bugs.launchpad.net/keystone/+bug/968696 and https:// bugs.launchpad.net/keystone/+bug/1577996 which seem related, but I cannot tell, if this is still the case or expected behaviour.

It seems like giving someone the admin role in a domain makes them admin on the full OpenStack setup (The problem does not seem to be limited to networks, the domain admin can also list all volumes outisde his domain and so on...)