From e8bc2b82a04f4cca251ed7437f738672107428a3 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Tue, 10 Feb 2015 20:38:56 +1100 Subject: [PATCH] Reduce service user permissions Most of the services create the service user with the admin permission. This is unnecessary for token validation and they should be restricted to only having the service role. Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b --- lib/ceilometer | 2 +- lib/cinder | 2 +- lib/ironic | 2 +- lib/nova | 2 ++ lib/sahara | 2 +- lib/swift | 2 +- lib/trove | 2 +- lib/zaqar | 2 +- 8 files changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/ceilometer b/lib/ceilometer index f03bab21fc..8fff91058c 100644 --- a/lib/ceilometer +++ b/lib/ceilometer @@ -108,7 +108,7 @@ function create_ceilometer_accounts { # Ceilometer if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then - create_service_user "ceilometer" "admin" + create_service_user "ceilometer" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then local ceilometer_service=$(get_or_create_service "ceilometer" \ diff --git a/lib/cinder b/lib/cinder index 12ba51e49b..17a0cc3c1a 100644 --- a/lib/cinder +++ b/lib/cinder @@ -333,7 +333,7 @@ function create_cinder_accounts { # Cinder if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then - create_service_user "cinder" "admin" + create_service_user "cinder" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/ironic b/lib/ironic index 921bcf1a26..bed816e5c5 100644 --- a/lib/ironic +++ b/lib/ironic @@ -362,7 +362,7 @@ function create_ironic_accounts { if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then # Get ironic user if exists - create_service_user "ironic" "admin" + create_service_user "ironic" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/nova b/lib/nova index c760066f15..6a149af322 100644 --- a/lib/nova +++ b/lib/nova @@ -356,6 +356,8 @@ function create_nova_accounts { # Nova if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then + # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses + # this service user when notifying nova of changes and that requires the admin role. create_service_user "nova" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/sahara b/lib/sahara index b3ca32f346..db200cca10 100644 --- a/lib/sahara +++ b/lib/sahara @@ -61,7 +61,7 @@ TEMPEST_SERVICES+=,sahara # service sahara admin function create_sahara_accounts { - create_service_user "sahara" "admin" + create_service_user "sahara" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/swift b/lib/swift index d9f750c27f..31a1ba1d20 100644 --- a/lib/swift +++ b/lib/swift @@ -603,7 +603,7 @@ function create_swift_accounts { local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }") - create_service_user "swift" "admin" + create_service_user "swift" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/trove b/lib/trove index d32c7765e0..e1b307a52f 100644 --- a/lib/trove +++ b/lib/trove @@ -81,7 +81,7 @@ function setup_trove_logging { function create_trove_accounts { if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then - create_service_user "trove" "admin" + create_service_user "trove" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then diff --git a/lib/zaqar b/lib/zaqar index 8b560bb4d5..4a24415248 100644 --- a/lib/zaqar +++ b/lib/zaqar @@ -215,7 +215,7 @@ function stop_zaqar { } function create_zaqar_accounts { - create_service_user "zaqar" "admin" + create_service_user "zaqar" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then