Openstack admin role

Solution In Progress - Updated -

Issue

  • In the official Openstack documentation at docs.openstack.org, we read that as of Rocky, we use the Admin, Member and Reader roles, and that these roles can scope to a Project, a Domain or the System. On our RHOSP16.1 deployment we see that indeed these 3 roles exist, and that the roles can have the Project, Domain or System scope, but that the permissions coming from that assignment don't reflect those scopes.

  • To be precise: we have two domains: default and secondary_domain. If we create a project in the secondary_domain
    domain and we grant a user admin access on that project, he becomes a full Openstack administrator. If we grant the user admin access on the secondary_domain domain (but not on the project), or admin access on the system, the user basically has no rights.

  • Are we correct in assuming that the new way of working with the Project / Domain / System scope is not yet in place on RHOSP16.1? In the past we had a custom role to grant people admin access only on their project - will we still need this in RHOSP16.1, to prevent that a project admin can also act as system admin on the full Openstack deployment?

Environment

  • Red Hat OpenStack Platform 16.1 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In