Limit user scope to a project in openstack

I have an openstack victoria cloud setup. I am using default policy of keystone and have not made any changes to that policy.

I have created a test user names testuser in openstack. I assigned it primary project as testproject and admin role. But when I login as testuser, I am able to access the admin project as well. Its like my scope is not limited to testproject.

According to the documentation

https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

Project administrators can only view and modify data within the project they have authorization on. They’re able to view information about their projects and set tags on their projects. They’re not allowed to view system or domain resources, as that would violate the tenancy of their role assignment. Since the majority of the resources in keystone’s API are system and domain-specific, project administrators don’t have much authorization.

openstack role assignment list --names --project testproject --role admin
+-------+------------------+-------+---------------------+--------+--
| Role  | User             | Group | Project             | Domain | System | Inherited |
+-------+------------------+-------+---------------------+--------+--
| admin | testuser@Default |       | testproject@Default |        |        | False     |
+-------+------------------+-------+---------------------+--------+--

# openstack role assignment list --names --project admin
+-------+---------------+-------+---------------+--------+--------+--
| Role  | User          | Group | Project       | Domain | System | Inherited |
+-------+---------------+-------+---------------+--------+--------+--
| admin | admin@Default |       | admin@Default |        |        | False     |
+-------+---------------+-------+---------------+--------+--------+--

What should I do to limit user to the scope of its assigned primary project?

I think I got it (in Xena)

I noticed that my keystone was not restricting out-of-scope commands (such as creating a group using a project-scoped token in a domain you don't have a role in)

I added this in /etc/keystone/keystone.conf:

[oslo_policy]
enforce_scope = true

It baffles me that this defaults to false

After adding this, the group policies started being enforced correctly (I get a 403 if I don't use the domain-scoped token of the correct domain)

Further testing reveals that the admin project is also throwing 403's when I try to interact with it using a token that is scoped to testProjectA

https://docs.openstack.org/keystone/xena/install/keystone-install-ubuntu.html#finalize-the-installation One slight note, the keystone setup instructions at the bottom of the above link will give you a project-scoped token on the admin project, and your openstack command will be restricted accordingly

I changed mine to this so that im using a system scoped token instead

export OS_AUTH_URL=http://dal-eq3-ctrl-001:5000/v3
export OS_IDENTITY_API_VERSION=3

export OS_USER_DOMAIN_NAME=Default
export OS_USERNAME=admin
export OS_PASSWORD=<pass>

export OS_SYSTEM_SCOPE=all