Merge "Reduce service user permissions"

2015-02-11 15:55:40 +00:00 · 2015-02-11 15:55:40 +00:00 · ee2e53592b
commit ee2e53592b
parent 6f0efa06b9 e8bc2b82a0
8 changed files with 9 additions and 7 deletions
--- a/lib/ceilometer
+++ b/lib/ceilometer
@ -108,7 +108,7 @@ function create_ceilometer_accounts {
    # Ceilometer
    if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then

-        create_service_user "ceilometer" "admin"
+        create_service_user "ceilometer"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
            local ceilometer_service=$(get_or_create_service "ceilometer" \
--- a/lib/cinder
+++ b/lib/cinder
@ -333,7 +333,7 @@ function create_cinder_accounts {
    # Cinder
    if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then

-        create_service_user "cinder" "admin"
+        create_service_user "cinder"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/ironic
+++ b/lib/ironic
@ -362,7 +362,7 @@ function create_ironic_accounts {
    if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
        # Get ironic user if exists

-        create_service_user "ironic" "admin"
+        create_service_user "ironic"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/nova
+++ b/lib/nova
@ -356,6 +356,8 @@ function create_nova_accounts {
    # Nova
    if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then

+        # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses
+        # this service user when notifying nova of changes and that requires the admin role.
        create_service_user "nova" "admin"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
--- a/lib/sahara
+++ b/lib/sahara
@ -61,7 +61,7 @@ TEMPEST_SERVICES+=,sahara
 # service     sahara    admin
 function create_sahara_accounts {

-    create_service_user "sahara" "admin"
+    create_service_user "sahara"

    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/swift
+++ b/lib/swift
@ -603,7 +603,7 @@ function create_swift_accounts {

    local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")

-    create_service_user "swift" "admin"
+    create_service_user "swift"

    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/trove
+++ b/lib/trove
@ -81,7 +81,7 @@ function setup_trove_logging {
 function create_trove_accounts {
    if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then

-        create_service_user "trove" "admin"
+        create_service_user "trove"

        if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then

--- a/lib/zaqar
+++ b/lib/zaqar
@ -215,7 +215,7 @@ function stop_zaqar {
 }

 function create_zaqar_accounts {
-    create_service_user "zaqar" "admin"
+    create_service_user "zaqar"

    if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then