From 1216b9fae9d8b93c9387147ab2b5bce07af7daa4 Mon Sep 17 00:00:00 2001
From: Joe Gordon <joe.gordon0@gmail.com>
Date: Tue, 4 Jun 2013 18:55:06 +0000
Subject: [PATCH] Use service role instead of admin role for service users

Instead of using a full admin role to validate tokens just use the
service role. Change where possible, some services use the service user
for more then just token validation.

Fixes bug 1153789

Change-Id: I0801475b62a7b025fdd871f52d8606aa614d1a32
---
 files/keystone_data.sh | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 72b5b1e9c8..a1875e183b 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -5,9 +5,9 @@
 # Tenant               User       Roles
 # ------------------------------------------------------------------
 # service              glance     admin
-# service              swift      admin        # if enabled
-# service              heat       admin        # if enabled
-# service              ceilometer admin        # if enabled
+# service              swift      service        # if enabled
+# service              heat       service        # if enabled
+# service              ceilometer service        # if enabled
 # Tempest Only:
 # alt_demo             alt_demo  Member
 #
@@ -47,6 +47,8 @@ MEMBER_ROLE=$(keystone role-list | awk "/ Member / { print \$2 }")
 # but ResellerAdmin is needed for a user to act as any tenant. The name of this
 # role is also configurable in swift-proxy.conf
 RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
+# Service role, so service users do not have to be admins
+SERVICE_ROLE=$(get_id keystone role-create --name=service)
 
 
 # Services
@@ -70,7 +72,7 @@ if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then
                                               --email=heat@example.com)
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user_id $HEAT_USER \
-                           --role_id $ADMIN_ROLE
+                           --role_id $SERVICE_ROLE
     # heat_stack_user role is for users created by Heat
     keystone role-create --name heat_stack_user
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@@ -133,7 +135,7 @@ if [[ "$ENABLED_SERVICES" =~ "swift" || "$ENABLED_SERVICES" =~ "s-proxy" ]]; the
     keystone user-role-add \
         --tenant_id $SERVICE_TENANT \
         --user_id $SWIFT_USER \
-        --role_id $ADMIN_ROLE
+        --role_id $SERVICE_ROLE
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
         SWIFT_SERVICE=$(get_id keystone service-create \
             --name=swift \
@@ -155,7 +157,7 @@ if [[ "$ENABLED_SERVICES" =~ "ceilometer" ]]; then
                                               --email=ceilometer@example.com)
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user_id $CEILOMETER_USER \
-                           --role_id $ADMIN_ROLE
+                           --role_id $SERVICE_ROLE
     # Ceilometer needs ResellerAdmin role to access swift account stats.
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user_id $CEILOMETER_USER \