In the official Openstack documentation at docs.openstack.org, we read that as of Rocky, we use the Admin, Member and Reader roles, and that these roles can scope to a Project, a Domain or the System. On our RHOSP16.1 deployment we see that indeed these 3 roles exist, and that the roles can have the Project, Domain or System scope, but that the permissions coming from that assignment don't reflect those scopes.
To be precise: we have two domains: default and secondary_domain. If we create a project in the secondary_domain
domain and we grant a user admin access on that project, he becomes a full Openstack administrator. If we grant the user admin access on the secondary_domain domain (but not on the project), or admin access on the system, the user basically has no rights.
Are we correct in assuming that the new way of working with the Project / Domain / System scope is not yet in place on RHOSP16.1? In the past we had a custom role to grant people admin access only on their project - will we still need this in RHOSP16.1, to prevent that a project admin can also act as system admin on the full Openstack deployment?
- Red Hat OpenStack Platform 16.1 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.