Reduce service user permissions

Most of the services create the service user with the admin permission. This is unnecessary for token validation and they should be restricted to only having the service role. Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
openstack · Feb 11, 2015 · e8bc2b8 · e8bc2b8
1 parent 8ed3e40
commit e8bc2b8
Show file tree

Hide file tree

Showing 8 changed files with 9 additions and 7 deletions.
diff --git a/lib/ceilometer b/lib/ceilometer
@@ -108,7 +108,7 @@ function create_ceilometer_accounts {
     # Ceilometer
     if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
 
-        create_service_user "ceilometer" "admin"
+        create_service_user "ceilometer"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
             local ceilometer_service=$(get_or_create_service "ceilometer" \

diff --git a/lib/cinder b/lib/cinder
@@ -333,7 +333,7 @@ function create_cinder_accounts {
     # Cinder
     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
 
-        create_service_user "cinder" "admin"
+        create_service_user "cinder"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

diff --git a/lib/ironic b/lib/ironic
@@ -362,7 +362,7 @@ function create_ironic_accounts {
     if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
         # Get ironic user if exists
 
-        create_service_user "ironic" "admin"
+        create_service_user "ironic"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

diff --git a/lib/nova b/lib/nova
@@ -356,6 +356,8 @@ function create_nova_accounts {
     # Nova
     if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
 
+        # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses
+        # this service user when notifying nova of changes and that requires the admin role.
         create_service_user "nova" "admin"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

diff --git a/lib/sahara b/lib/sahara
@@ -61,7 +61,7 @@ TEMPEST_SERVICES+=,sahara
 # service     sahara    admin
 function create_sahara_accounts {
 
-    create_service_user "sahara" "admin"
+    create_service_user "sahara"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

diff --git a/lib/swift b/lib/swift
@@ -603,7 +603,7 @@ function create_swift_accounts {
 
     local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
 
-    create_service_user "swift" "admin"
+    create_service_user "swift"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

diff --git a/lib/trove b/lib/trove
@@ -81,7 +81,7 @@ function setup_trove_logging {
 function create_trove_accounts {
     if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
 
-        create_service_user "trove" "admin"
+        create_service_user "trove"
 
         if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
 

diff --git a/lib/zaqar b/lib/zaqar
@@ -215,7 +215,7 @@ function stop_zaqar {
 }
 
 function create_zaqar_accounts {
-    create_service_user "zaqar" "admin"
+    create_service_user "zaqar"
 
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then