# Revision history [back]

### Domain admin can access entities out of scope

I am trying to get Multi Domain Authentication to work. My Stack is fully operational aside from Domains and has been deployed using kolla-ansible (ocata).

I want to be able to create domains (for customers), who can then create their own projects, users and so on, without being able to see other domains. If I read the documentation correctly, that is the purpose of domains.

So I do the following: Create a domain, create a user in that domain, create an admin project in the domain and assign admin roles to the user in that project and the domain:

openstack domain create domain01
openstack user create --password secret --domain domain01 domain01_admin
openstack project create --domain domain01 domain01_admin_project


I already have a network defined from the the default domain in the admin project, which provides outside connectivity to the instances. When I now log in as the domain01_admin user using the following openrc file, I can happily modify the global network.

openrc.sh:

export OS_PROJECT_NAME=domain01_admin_project
export OS_PROJECT_DOMAIN_NAME=domain01
export OS_USER_DOMAIN_NAME=domain01

Executing openstack network set --disable lab succeeds, which is totally unexpected and would allow domain admins to actually take down outside connectivity for all instances.