Reduce service user permissions

Most of the services create the service user with the admin permission. This is unnecessary for token validation and they should be restricted to only having the service role. Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
2015-02-10 20:38:56 +11:00 · 2015-02-10 20:38:56 +11:00 · e8bc2b82a0
commit e8bc2b82a0
parent 8ed3e40be8
8 changed files with 9 additions and 7 deletions
--- a/lib/ceilometer
+++ b/lib/ceilometer
@ -108,7 +108,7 @@ function create_ceilometer_accounts {
    # Ceilometer
    if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then

-        create_service_user "ceilometer" "admin"
+        create_service_user "ceilometer"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
            local ceilometer_service=$(get_or_create_service "ceilometer" \
--- a/lib/cinder
+++ b/lib/cinder
@ -333,7 +333,7 @@ function create_cinder_accounts {
    # Cinder
    if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then

-        create_service_user "cinder" "admin"
+        create_service_user "cinder"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/ironic
+++ b/lib/ironic
@ -362,7 +362,7 @@ function create_ironic_accounts {
    if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
        # Get ironic user if exists

-        create_service_user "ironic" "admin"
+        create_service_user "ironic"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/nova
+++ b/lib/nova
@ -356,6 +356,8 @@ function create_nova_accounts {
    # Nova
    if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then

+        # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses
+        # this service user when notifying nova of changes and that requires the admin role.
        create_service_user "nova" "admin"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
--- a/lib/sahara
+++ b/lib/sahara
@ -61,7 +61,7 @@ TEMPEST_SERVICES+=,sahara
 # service     sahara    admin
 function create_sahara_accounts {

-    create_service_user "sahara" "admin"
+    create_service_user "sahara"

    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/swift
+++ b/lib/swift
@ -603,7 +603,7 @@ function create_swift_accounts {

    local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")

-    create_service_user "swift" "admin"
+    create_service_user "swift"

    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/trove
+++ b/lib/trove
@ -81,7 +81,7 @@ function setup_trove_logging {
 function create_trove_accounts {
    if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then

-        create_service_user "trove" "admin"
+        create_service_user "trove"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/zaqar
+++ b/lib/zaqar
@ -215,7 +215,7 @@ function stop_zaqar {
 }

 function create_zaqar_accounts {
-    create_service_user "zaqar" "admin"
+    create_service_user "zaqar"

    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then