Differentiate system-wide admins from tenant-specific admins
We are currently using 'admin' to mean multiple things:
1) Can perform adminitstrative commands on the current tenant (i.e. migrate a server)
2) Can list/act on other tenants (i.e. list all instances, delete another tenant's volume)
We should differentiate system-wide admins from tenant-specific admins. This might mean having a special tenant for system admins. It may also mean creating a special concept in keystone of a user that has a role on every tenant in the system. This might be necessary because it may be best to force commands to only work on the current tenant, which would mean a system administrator would have to get a token for the tenant he wishes to administer. Manually adding an administrative user to every tenant in the system would be difficult
Blueprint information
- Status:
- Complete
- Approver:
- Vish Ishaya
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- John Garbutt
Related branches
Related bugs
| Bug #967882: Volumes, volume snapshots, instance snaphots and keypairs all show cross-tenant info when logged in as admin | Fix Released |
Sprints
Whiteboard
This is stale, marking as obsolete, if we need these things, less propose them in new blueprints -- johnthetubaguy
WordPress uses the term Super Admin vs admin, might work well here as well.
