From 08a5fcc7faae8cab558617b46b684009df595fdd Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Fri, 18 Jul 2014 16:06:12 -0700 Subject: [PATCH] Use service role for neutron instead of admin When creating the account for neutron to use in keystone, give it a service role instead of an admin role so it isn't overprivileged with the ability to create and delete tenants. Also set the Neutron policy.json file to allow the Neutron account to administer Neutron. Closes-Bug: #1344463 Change-Id: I86b15cfcffe549654c28f425c2bcf99403ac10bc --- lib/neutron | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/neutron b/lib/neutron index 81f2697abb..a48f519884 100644 --- a/lib/neutron +++ b/lib/neutron @@ -457,13 +457,13 @@ function create_neutron_cache_dir { function create_neutron_accounts { local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }") - local admin_role=$(openstack role list | awk "/ admin / { print \$2 }") + local service_role=$(openstack role list | awk "/ service / { print \$2 }") if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then local neutron_user=$(get_or_create_user "neutron" \ "$SERVICE_PASSWORD" $service_tenant) - get_or_add_user_role $admin_role $neutron_user $service_tenant + get_or_add_user_role $service_role $neutron_user $service_tenant if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then @@ -889,6 +889,9 @@ function _configure_neutron_service { cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE + # allow neutron user to administer neutron to match neutron account + sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE + # Update either configuration file with plugin iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS