Use service role for neutron instead of admin

When creating the account for neutron to use in keystone,
give it a service role instead of an admin role so it isn't
overprivileged with the ability to create and delete tenants.
Also set the Neutron policy.json file to allow the Neutron
account to administer Neutron.

Closes-Bug: #1344463
Change-Id: I86b15cfcffe549654c28f425c2bcf99403ac10bc
This commit is contained in:
Kevin Benton 2014-07-18 16:06:12 -07:00
parent 7c11e28cf3
commit 08a5fcc7fa

View File

@ -457,13 +457,13 @@ function create_neutron_cache_dir {
function create_neutron_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
local service_role=$(openstack role list | awk "/ service / { print \$2 }")
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
local neutron_user=$(get_or_create_user "neutron" \
"$SERVICE_PASSWORD" $service_tenant)
get_or_add_user_role $admin_role $neutron_user $service_tenant
get_or_add_user_role $service_role $neutron_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@ -889,6 +889,9 @@ function _configure_neutron_service {
cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE
cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE
# allow neutron user to administer neutron to match neutron account
sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE
# Update either configuration file with plugin
iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS