Browse code
Use service role instead of admin role for service users
Instead of using a full admin role to validate tokens just use the
service role. Change where possible, some services use the service user
for more then just token validation.
Fixes bug 1153789
Change-Id: I0801475b62a7b025fdd871f52d8606aa614d1a32
Joe Gordon authored on 2013/06/05 03:55:06Showing 1 changed files
| ... | ... |
@@ -5,9 +5,9 @@ |
| 5 | 5 |
# Tenant User Roles |
| 6 | 6 |
# ------------------------------------------------------------------ |
| 7 | 7 |
# service glance admin |
| 8 |
-# service swift admin # if enabled |
|
| 9 |
-# service heat admin # if enabled |
|
| 10 |
-# service ceilometer admin # if enabled |
|
| 8 |
+# service swift service # if enabled |
|
| 9 |
+# service heat service # if enabled |
|
| 10 |
+# service ceilometer service # if enabled |
|
| 11 | 11 |
# Tempest Only: |
| 12 | 12 |
# alt_demo alt_demo Member |
| 13 | 13 |
# |
| ... | ... |
@@ -47,6 +47,8 @@ MEMBER_ROLE=$(keystone role-list | awk "/ Member / { print \$2 }")
|
| 47 | 47 |
# but ResellerAdmin is needed for a user to act as any tenant. The name of this |
| 48 | 48 |
# role is also configurable in swift-proxy.conf |
| 49 | 49 |
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) |
| 50 |
+# Service role, so service users do not have to be admins |
|
| 51 |
+SERVICE_ROLE=$(get_id keystone role-create --name=service) |
|
| 50 | 52 |
|
| 51 | 53 |
|
| 52 | 54 |
# Services |
| ... | ... |
@@ -70,7 +72,7 @@ if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then |
| 70 | 70 |
--email=heat@example.com) |
| 71 | 71 |
keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| 72 | 72 |
--user_id $HEAT_USER \ |
| 73 |
- --role_id $ADMIN_ROLE |
|
| 73 |
+ --role_id $SERVICE_ROLE |
|
| 74 | 74 |
# heat_stack_user role is for users created by Heat |
| 75 | 75 |
keystone role-create --name heat_stack_user |
| 76 | 76 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
| ... | ... |
@@ -133,7 +135,7 @@ if [[ "$ENABLED_SERVICES" =~ "swift" || "$ENABLED_SERVICES" =~ "s-proxy" ]]; the |
| 133 | 133 |
keystone user-role-add \ |
| 134 | 134 |
--tenant_id $SERVICE_TENANT \ |
| 135 | 135 |
--user_id $SWIFT_USER \ |
| 136 |
- --role_id $ADMIN_ROLE |
|
| 136 |
+ --role_id $SERVICE_ROLE |
|
| 137 | 137 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
| 138 | 138 |
SWIFT_SERVICE=$(get_id keystone service-create \ |
| 139 | 139 |
--name=swift \ |
| ... | ... |
@@ -155,7 +157,7 @@ if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then |
| 155 | 155 |
--email=ceilometer@example.com) |
| 156 | 156 |
keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| 157 | 157 |
--user_id $CEILOMETER_USER \ |
| 158 |
- --role_id $ADMIN_ROLE |
|
| 158 |
+ --role_id $SERVICE_ROLE |
|
| 159 | 159 |
# Ceilometer needs ResellerAdmin role to access swift account stats. |
| 160 | 160 |
keystone user-role-add --tenant_id $SERVICE_TENANT \ |
| 161 | 161 |
--user_id $CEILOMETER_USER \ |