Revision history [back]

click to hide/show revision 1
initial version

Openstack global vs. project roles: What do they mean?

Could someone please shed some light on the role concept of Openstack? I'm confused by contradicting statements in the admin guide, strange behaviour of my Icehouse installation, and various forum responses regarding this topic.

The admin guide states that role assignments are always done in project/tenant scope. I would conclude, that the individual assignment should also only takes effect in that scope. The admin guide does not mention any concept of global roles.

However, the keystone API description does:

GET v2.0/users/{userId}/roles​?serviceId=string List global roles for a user.

but claims this actually doesn't work.

To make thing worse, here is what I observe with my Keystone setup, using horizon's identity panel. Let "michael" be my user name, with the following project and role assignments, done by admin user (who in turn is admin in tenant admin):

  • demo1: _member_, admin
  • demo2: _member_
  • demo3:

now, logging in as user michael, I'm getting demo1 and demo2 in the context selection box at the top. That's fine, as I'm only member of these. Selecting demo2, I'm not getting any Identity panel, which also looks plausible, as I'm not admin in that project.

However, if I select demo1, I'm getting the Identity panel, and that is presenting me all projects including demo3! Plus, it allows me to assign myself to demo3, and to grant myself any role I like in demo3 and demo2!!

That's disturbing. It looks like I acquired global admin power across all projects by just being assigned to admin role in one of them? Is that intended behavior, or is it a bug?

Being there, what is the purpose of the "admin" tenant? Is being a member or an admin of this tenant supposed to introduce any more power than being admin of a mortal project? And if so, what extra power, and how is that accomplished?

Thanks a lot in advance! Michael