Browse code
Use service role for neutron instead of admin
When creating the account for neutron to use in keystone,
give it a service role instead of an admin role so it isn't
overprivileged with the ability to create and delete tenants.
Also set the Neutron policy.json file to allow the Neutron
account to administer Neutron.
Closes-Bug: #1344463
Change-Id: I86b15cfcffe549654c28f425c2bcf99403ac10bc
Kevin Benton authored on 2014/07/19 08:06:12Showing 1 changed files
| ... | ... |
@@ -457,13 +457,13 @@ function create_neutron_cache_dir {
|
| 457 | 457 |
function create_neutron_accounts {
|
| 458 | 458 |
|
| 459 | 459 |
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
| 460 |
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
|
| 460 |
+ local service_role=$(openstack role list | awk "/ service / { print \$2 }")
|
|
| 461 | 461 |
|
| 462 | 462 |
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then |
| 463 | 463 |
|
| 464 | 464 |
local neutron_user=$(get_or_create_user "neutron" \ |
| 465 | 465 |
"$SERVICE_PASSWORD" $service_tenant) |
| 466 |
- get_or_add_user_role $admin_role $neutron_user $service_tenant |
|
| 466 |
+ get_or_add_user_role $service_role $neutron_user $service_tenant |
|
| 467 | 467 |
|
| 468 | 468 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
| 469 | 469 |
|
| ... | ... |
@@ -889,6 +889,9 @@ function _configure_neutron_service {
|
| 889 | 889 |
cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE |
| 890 | 890 |
cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE |
| 891 | 891 |
|
| 892 |
+ # allow neutron user to administer neutron to match neutron account |
|
| 893 |
+ sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE |
|
| 894 |
+ |
|
| 892 | 895 |
# Update either configuration file with plugin |
| 893 | 896 |
iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS |
| 894 | 897 |
|