Most of the services create the service user with the admin permission.
This is unnecessary for token validation and they should be restricted
to only having the service role.
Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
... | ... |
@@ -108,7 +108,7 @@ function create_ceilometer_accounts { |
108 | 108 |
# Ceilometer |
109 | 109 |
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then |
110 | 110 |
|
111 |
- create_service_user "ceilometer" "admin" |
|
111 |
+ create_service_user "ceilometer" |
|
112 | 112 |
|
113 | 113 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
114 | 114 |
local ceilometer_service=$(get_or_create_service "ceilometer" \ |
... | ... |
@@ -362,7 +362,7 @@ function create_ironic_accounts { |
362 | 362 |
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then |
363 | 363 |
# Get ironic user if exists |
364 | 364 |
|
365 |
- create_service_user "ironic" "admin" |
|
365 |
+ create_service_user "ironic" |
|
366 | 366 |
|
367 | 367 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
368 | 368 |
|
... | ... |
@@ -356,6 +356,8 @@ function create_nova_accounts { |
356 | 356 |
# Nova |
357 | 357 |
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then |
358 | 358 |
|
359 |
+ # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses |
|
360 |
+ # this service user when notifying nova of changes and that requires the admin role. |
|
359 | 361 |
create_service_user "nova" "admin" |
360 | 362 |
|
361 | 363 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
... | ... |
@@ -603,7 +603,7 @@ function create_swift_accounts { |
603 | 603 |
|
604 | 604 |
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }") |
605 | 605 |
|
606 |
- create_service_user "swift" "admin" |
|
606 |
+ create_service_user "swift" |
|
607 | 607 |
|
608 | 608 |
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
609 | 609 |
|