Bug 1023533
Summary: | API services has all admin permission instead of service | ||
---|---|---|---|
Product: | [Community] RDO | Reporter: | Attila Fazekas <afazekas> |
Component: | openstack-packstack | Assignee: | Francesco Vollero <fvollero> |
Status: | CLOSED EOL | QA Contact: | Shai Revivo <srevivo> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | aortega, chris.brown, derekh, eglynn, fvollero, lars, srevivo |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-06-18 06:34:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Attila Fazekas
2013-10-25 16:07:21 UTC
The service role would be insufficient for the ceilometer user. While it would authorize the ceilometer-api service to call token verification operations, it would not allow the ceilometer-compute agent poll the nova-api with the all_tenants flag set (in order to discover all instances running on the local compute node) as this operation requires admin privilege, see: Default nova policy: https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L4 Defaulted nova policy for get_all_tenants: https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L13 Enforcement of get_all_tenants policy: https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/servers.py#L572 So while revoking the admin role from certain service users (in favour of the more restricted service role) may work, it would not make sense currently for the ceilometer user (absent compensating changes to the nova-api RBAC policies). These services expected to work without admin role. "cinder": "service" "glance": "service" "neutron": "service" "sahara": "service" "trove": "service" "zaqar": "service" These services MAY needs some additional configuration: "swift": "admin" (an Ironic related setup mentioned where the admin role was needed) "ironic": "admin" "ceilometer": "admin" "heat": "admin" "nova": "admin" (if the client services uses the same "nova" account) BTW: Neutron MAY have have dedicated account for accessing nova. `neutron-nova` named service user MAYbe created for this purpose. I think this bug is stale and should be closed? |