Description of problem: /etc/keystone/policy.json defines a policies to the service role but the service role does not exists in the system after a default packstack installation. AFAIK, Now all service juts using its service account for token verification, They does not needs to be able to create new admin account for ex.. Expected results: - service role is created - the service accounts using the service role instead of admin.
The service role would be insufficient for the ceilometer user. While it would authorize the ceilometer-api service to call token verification operations, it would not allow the ceilometer-compute agent poll the nova-api with the all_tenants flag set (in order to discover all instances running on the local compute node) as this operation requires admin privilege, see: Default nova policy: https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L4 Defaulted nova policy for get_all_tenants: https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L13 Enforcement of get_all_tenants policy: https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/servers.py#L572 So while revoking the admin role from certain service users (in favour of the more restricted service role) may work, it would not make sense currently for the ceilometer user (absent compensating changes to the nova-api RBAC policies).
These services expected to work without admin role. "cinder": "service" "glance": "service" "neutron": "service" "sahara": "service" "trove": "service" "zaqar": "service" These services MAY needs some additional configuration: "swift": "admin" (an Ironic related setup mentioned where the admin role was needed) "ironic": "admin" "ceilometer": "admin" "heat": "admin" "nova": "admin" (if the client services uses the same "nova" account) BTW: Neutron MAY have have dedicated account for accessing nova. `neutron-nova` named service user MAYbe created for this purpose.
I think this bug is stale and should be closed?