Use service role for neutron instead of admin
When creating the account for neutron to use in keystone, give it a service role instead of an admin role so it isn't overprivileged with the ability to create and delete tenants. Also set the Neutron policy.json file to allow the Neutron account to administer Neutron. Closes-Bug: #1344463 Change-Id: I86b15cfcffe549654c28f425c2bcf99403ac10bc
This commit is contained in:
Kevin Benton
parent
7c11e28cf3
commit
08a5fcc7fa
@ -457,13 +457,13 @@ function create_neutron_cache_dir {
|
||||
function create_neutron_accounts {
|
||||
|
||||
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
|
||||
local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
|
||||
local service_role=$(openstack role list | awk "/ service / { print \$2 }")
|
||||
|
||||
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
|
||||
|
||||
local neutron_user=$(get_or_create_user "neutron" \
|
||||
"$SERVICE_PASSWORD" $service_tenant)
|
||||
get_or_add_user_role $admin_role $neutron_user $service_tenant
|
||||
get_or_add_user_role $service_role $neutron_user $service_tenant
|
||||
|
||||
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
|
||||
|
||||
@ -889,6 +889,9 @@ function _configure_neutron_service {
|
||||
cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE
|
||||
cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE
|
||||
|
||||
# allow neutron user to administer neutron to match neutron account
|
||||
sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE
|
||||
|
||||
# Update either configuration file with plugin
|
||||
iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user