1. devstack
  2. Commit e8bc2b82a04f4cca251ed7437f738672107428a3
Browse code

Reduce service user permissions

Most of the services create the service user with the admin permission.
This is unnecessary for token validation and they should be restricted
to only having the service role.

Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b

Jamie Lennox authored on 2015/02/10 18:38:56
Showing 8 changed files
lib/ceilometer
History View file @ e8bc2b8
... ... 
@@ -108,7 +108,7 @@ function create_ceilometer_accounts {
108 108 
     # Ceilometer
109 109 
     if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
110 110
111 
-        create_service_user "ceilometer" "admin"
111 
+        create_service_user "ceilometer"
112 112
113 113 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
114 114 
             local ceilometer_service=$(get_or_create_service "ceilometer" \
lib/cinder
History View file @ e8bc2b8
... ... 
@@ -333,7 +333,7 @@ function create_cinder_accounts {
333 333 
     # Cinder
334 334 
     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
335 335
336 
-        create_service_user "cinder" "admin"
336 
+        create_service_user "cinder"
337 337
338 338 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
339 339
lib/ironic
History View file @ e8bc2b8
... ... 
@@ -362,7 +362,7 @@ function create_ironic_accounts {
362 362 
     if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
363 363 
         # Get ironic user if exists
364 364
365 
-        create_service_user "ironic" "admin"
365 
+        create_service_user "ironic"
366 366
367 367 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
368 368
lib/nova
History View file @ e8bc2b8
... ... 
@@ -356,6 +356,8 @@ function create_nova_accounts {
356 356 
     # Nova
357 357 
     if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
358 358
359 
+        # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses
360 
+        # this service user when notifying nova of changes and that requires the admin role.
359 361 
         create_service_user "nova" "admin"
360 362
361 363 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
lib/sahara
History View file @ e8bc2b8
... ... 
@@ -61,7 +61,7 @@ TEMPEST_SERVICES+=,sahara
61 61 
 # service     sahara    admin
62 62 
 function create_sahara_accounts {
63 63
64 
-    create_service_user "sahara" "admin"
64 
+    create_service_user "sahara"
65 65
66 66 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
67 67
lib/swift
History View file @ e8bc2b8
... ... 
@@ -603,7 +603,7 @@ function create_swift_accounts {
603 603
604 604 
     local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
605 605
606 
-    create_service_user "swift" "admin"
606 
+    create_service_user "swift"
607 607
608 608 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
609 609
lib/trove
History View file @ e8bc2b8
... ... 
@@ -81,7 +81,7 @@ function setup_trove_logging {
81 81 
 function create_trove_accounts {
82 82 
     if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
83 83
84 
-        create_service_user "trove" "admin"
84 
+        create_service_user "trove"
85 85
86 86 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
87 87
lib/zaqar
History View file @ e8bc2b8
... ... 
@@ -215,7 +215,7 @@ function stop_zaqar {
215 215 
 }
216 216
217 217 
 function create_zaqar_accounts {
218 
-    create_service_user "zaqar" "admin"
218 
+    create_service_user "zaqar"
219 219
220 220 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
221 221