I have an openstack victoria cloud setup. I am using default policy of keystone and have not made any changes to that policy.
I have created a test user names testuser in openstack. I assigned it primary project as testproject and admin role. But when I login as testuser, I am able to access the admin project as well. Its like my scope is not limited to testproject.
According to the documentation
https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
Project administrators can only view and modify data within the project they have authorization on. They’re able to view information about their projects and set tags on their projects. They’re not allowed to view system or domain resources, as that would violate the tenancy of their role assignment. Since the majority of the resources in keystone’s API are system and domain-specific, project administrators don’t have much authorization.
openstack role assignment list --names --project testproject --role admin
+-------+------------------+-------+---------------------+--------+--
| Role | User | Group | Project | Domain | System | Inherited |
+-------+------------------+-------+---------------------+--------+--
| admin | testuser@Default | | testproject@Default | | | False |
+-------+------------------+-------+---------------------+--------+--
# openstack role assignment list --names --project admin
+-------+---------------+-------+---------------+--------+--------+--
| Role | User | Group | Project | Domain | System | Inherited |
+-------+---------------+-------+---------------+--------+--------+--
| admin | admin@Default | | admin@Default | | | False |
+-------+---------------+-------+---------------+--------+--------+--
What should I do to limit user to the scope of its assigned primary project?
0 Answers