User that has been assigned admin role within their project gets treated as de-fact admin in Glance even when project scoped "Secure RBAC" feature is enabled.

Secure RBAC personas were introduced in Wallaby cycle creating project scope. If user is granted admin rights within the project scope based on the Secure RBAC roles model the user gets treated as admin in Glance.

stack@ubnt-devstack:~/devstack$ openstack project create --enable privilege-test
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | ed7b2d168e444122b9700701834e8d97 |
| is_domain   | False                            |
| name        | privilege-test                   |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+
NOTE THE PROJECT ID.

stack@ubnt-devstack:~/devstack$ openstack user create --project privilege-test --password <SNIP> --email <email address hidden> --ignore-change-password-upon-first-use --disable-multi-factor-auth --enable privtest
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+---------------------+-------------------------------------------------------------------------------------+
| Field               | Value                                                                               |
+---------------------+-------------------------------------------------------------------------------------+
| default_project_id  | ed7b2d168e444122b9700701834e8d97                                                    |
| domain_id           | default                                                                             |
| email               | <email address hidden>                                                               |
| enabled             | True                                                                                |
| id                  | eb0d6ce9c6bc42ee8962ad97849b38f7                                                    |
| name                | privtest                                                                            |
| options             | {'ignore_change_password_upon_first_use': True, 'multi_factor_auth_enabled': False} |
| password_expires_at | None                                                                                |
+---------------------+-------------------------------------------------------------------------------------+


stack@ubnt-devstack:~/devstack$ openstack role add --project privilege-test --user privtest admin


stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role        | User              | Group             | Project                    | Domain  | System | Inherited |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin       |                   | admins@Default    | admin@Default              |         |        | False     |
| anotherrole | alt_demo@Default  |                   | alt_demo@Default           |         |        | False     |
| member      | alt_demo@Default  |                   | alt_demo@Default           |         |        | False     |
| anotherrole |                   | nonadmins@Default | alt_demo@Default           |         |        | False     |
| member      |                   | nonadmins@Default | alt_demo@Default           |         |        | False     |
| anotherrole |                   | nonadmins@Default | demo@Default               |         |        | False     |
| member      |                   | nonadmins@Default | demo@Default               |         |        | False     |
| admin       | nova@Default      |                   | service@Default            |         |        | False     |
| service     | nova@Default      |                   | service@Default            |         |        | False     |
| admin       | placement@Default |                   | service@Default            |         |        | False     |
| service     | placement@Default |                   | service@Default            |         |        | False     |
| service     | glance@Default    |                   | service@Default            |         |        | False     |
| member      | demo@Default      |                   | invisible_to_admin@Default |         |        | False     |
| anotherrole | demo@Default      |                   | demo@Default               |         |        | False     |
| member      | demo@Default      |                   | demo@Default               |         |        | False     |
| service     | cinder@Default    |                   | service@Default            |         |        | False     |
| admin       | privtest@Default  |                   | privilege-test@Default     |         |        | False     |
| service     | neutron@Default   |                   | service@Default            |         |        | False     |
| admin       | admin@Default     |                   | admin@Default              |         |        | False     |
| admin       | admin@Default     |                   | alt_demo@Default           |         |        | False     |
| admin       | admin@Default     |                   | demo@Default               |         |        | False     |
| admin       | admin@Default     |                   |                            | Default |        | False     |
| admin       | admin@Default     |                   |                            |         | all    | False     |
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE: that the 'privtest@Default' user has no other roles than admin in 'privilege-test@Default' project

stack@ubnt-devstack:~/devstack$ . ./openrc privtest privilege-test
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<SNIP>
OS_IDENTITY_API_VERSION=3

NOTE: Using the privtest:privilege-test user and project.

stack@ubnt-devstack:~/devstack$ glance image-show ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property                         | Value                                                                            |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum                         | b874c39491a2377b8490f5f1e89761a4                                                 |
| container_format                 | bare                                                                             |
| created_at                       | 2021-06-22T18:34:43Z                                                             |
| disk_format                      | qcow2                                                                            |
| hw_rng_model                     | virtio                                                                           |
| id                               | ca2eea09-77f5-4c21-bf32-e7774c4f6b70                                             |
| min_disk                         | 0                                                                                |
| min_ram                          | 0                                                                                |
| name                             | cirros-0.5.2-x86_64-disk                                                         |
| os_hash_algo                     | sha512                                                                           |
| os_hash_value                    | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
|                                  | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869                                 |
| os_hidden                        | False                                                                            |
| owner                            | 03ba31a4978e4654a3d185f55711586a                                                 |
| owner_specified.openstack.md5    |                                                                                  |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk                                                  |
| owner_specified.openstack.sha256 |                                                                                  |
| protected                        | True                                                                             |
| size                             | 16300544                                                                         |
| status                           | active                                                                           |
| tags                             | []                                                                               |
| updated_at                       | 2021-06-22T19:00:53Z                                                             |
| virtual_size                     | 117440512                                                                        |
| visibility                       | public                                                                           |
+----------------------------------+----------------------------------------------------------------------------------+
stack@ubnt-devstack:~/devstack$ glance image-update --protected False ca2eea09-77f5-4c21-bf32-e7774c4f6b70
+----------------------------------+----------------------------------------------------------------------------------+
| Property                         | Value                                                                            |
+----------------------------------+----------------------------------------------------------------------------------+
| checksum                         | b874c39491a2377b8490f5f1e89761a4                                                 |
| container_format                 | bare                                                                             |
| created_at                       | 2021-06-22T18:34:43Z                                                             |
| disk_format                      | qcow2                                                                            |
| hw_rng_model                     | virtio                                                                           |
| id                               | ca2eea09-77f5-4c21-bf32-e7774c4f6b70                                             |
| min_disk                         | 0                                                                                |
| min_ram                          | 0                                                                                |
| name                             | cirros-0.5.2-x86_64-disk                                                         |
| os_hash_algo                     | sha512                                                                           |
| os_hash_value                    | 6b813aa46bb90b4da216a4d19376593fa3f4fc7e617f03a92b7fe11e9a3981cbe8f0959dbebe3622 |
|                                  | 5e5f53dc4492341a4863cac4ed1ee0909f3fc78ef9c3e869                                 |
| os_hidden                        | False                                                                            |
| owner                            | 03ba31a4978e4654a3d185f55711586a                                                 |
| owner_specified.openstack.md5    |                                                                                  |
| owner_specified.openstack.object | images/cirros-0.5.2-x86_64-disk                                                  |
| owner_specified.openstack.sha256 |                                                                                  |
| protected                        | False                                                                            |
| size                             | 16300544                                                                         |
| status                           | active                                                                           |
| tags                             | []                                                                               |
| updated_at                       | 2021-06-22T19:49:01Z                                                             |
| virtual_size                     | 117440512                                                                        |
| visibility                       | public                                                                           |
+----------------------------------+----------------------------------------------------------------------------------+

The owner of the image is _NOT_ privilege-test project as one can compare the project id with the owner field.

Any deployment utilizing Secure RBAC and assigning admin-role within any of the 3 scopes (Project, Domain or System) grants full admin privileges in Glance for that user.