Bug 1023533

Summary: API services has all admin permission instead of service
Product: [Community] RDO Reporter: Attila Fazekas <afazekas>
Component: openstack-packstackAssignee: Francesco Vollero <fvollero>
Status: CLOSED EOL QA Contact: Shai Revivo <srevivo>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aortega, chris.brown, derekh, eglynn, fvollero, lars, srevivo
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-18 06:34:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Attila Fazekas 2013-10-25 16:07:21 UTC
Description of problem:
/etc/keystone/policy.json defines a policies to the service role but the service role does not exists in the system after a default packstack installation.

AFAIK, Now all service juts using its service account for token verification, 
They does not needs to be able to create new admin account for ex..

Expected results:
- service role is created
- the service accounts using the service role instead of admin.

Comment 1 Eoghan Glynn 2014-01-21 10:17:23 UTC
The service role would be insufficient for the ceilometer user.

While it would authorize the ceilometer-api service to call token verification operations, it would not allow the ceilometer-compute agent poll the nova-api with the all_tenants flag set (in order to discover all instances running on the local compute node) as this operation requires admin privilege, see:

Default nova policy:
  https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L4

Defaulted nova policy for get_all_tenants:
  https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L13

Enforcement of get_all_tenants policy:
  https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/servers.py#L572

So while revoking the admin role from certain service users (in favour of the more restricted service role) may work, it would not make sense currently for the ceilometer user (absent compensating changes to the nova-api RBAC policies).

Comment 2 Attila Fazekas 2015-03-02 12:32:05 UTC
These services expected to work without admin role.
"cinder": "service"
"glance": "service"
"neutron": "service"
"sahara": "service"
"trove": "service"
"zaqar": "service"

These services MAY needs some additional configuration:

"swift": "admin" (an Ironic related setup mentioned where the admin role was needed)
"ironic": "admin"
"ceilometer": "admin"
"heat": "admin"
"nova": "admin" (if the client services uses the same "nova" account)

BTW: Neutron MAY have have dedicated account for accessing nova.
`neutron-nova` named service user MAYbe created for this purpose.

Comment 5 Christopher Brown 2017-06-17 16:50:34 UTC
I think this bug is stale and should be closed?