OpenStack Compute (nova)

Security : should admin of one tenant allowed to reboot server belonging to different tenant ?

Asked by Mandar Vaze

I want to understand if there is a concept of tenant-level admin Vs global admin.

Currently it seems like only check done is whether user has admin role or not (no check is done to match the tenant if user has admin role) This results into scenario where demoAdmin can reboot adminServer - This seems like security violation.

==========
I have "devstack" setup with two tenants : admin and demo
I created a user "demoadmin" and assigned "admin" role for this user for tenant "demo" using :
"keystone user-role-add --role <uuid_of_admin_role> --tenant_id <uuid_of_demo_tenant> --user <uuid>"

when I login to dashboard using this account, I can only see single project/tenant i.e. "demo" as expected.

In another tenant "admin" I created an instance "adminServer" - I have it's UUID stored for testing.
Now using "demoadmin" credentials, I can successfully reboot "adminServer"

Expected Response :
reboot should not be allowed

Actual response :
"adminServer" is rebooted using "demoadmin" credentials
==========

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
John Garbutt
Solved:
Last query:
Last reply:
Revision history for this message
Best John Garbutt (johngarbutt) said : 		#1

Take a look at this:
http://<email address hidden>/msg09226.html

Revision history for this message
Mandar Vaze (mandarvaze) said : 		#2

Thanks John Garbutt, that solved my question.