Bug 1023533 - API services has all admin permission instead of service
API services has all admin permission instead of service
Status: CLOSED EOL
Product: RDO
Classification: Community
Component: openstack-packstack (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Francesco Vollero
Shai Revivo
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-25 12:07 EDT by Attila Fazekas
Modified: 2017-06-18 02:34 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-18 02:34:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Attila Fazekas 2013-10-25 12:07:21 EDT
Description of problem:
/etc/keystone/policy.json defines a policies to the service role but the service role does not exists in the system after a default packstack installation.

AFAIK, Now all service juts using its service account for token verification, 
They does not needs to be able to create new admin account for ex..

Expected results:
- service role is created
- the service accounts using the service role instead of admin.
Comment 1 Eoghan Glynn 2014-01-21 05:17:23 EST
The service role would be insufficient for the ceilometer user.

While it would authorize the ceilometer-api service to call token verification operations, it would not allow the ceilometer-compute agent poll the nova-api with the all_tenants flag set (in order to discover all instances running on the local compute node) as this operation requires admin privilege, see:

Default nova policy:
  https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L4

Defaulted nova policy for get_all_tenants:
  https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L13

Enforcement of get_all_tenants policy:
  https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/servers.py#L572

So while revoking the admin role from certain service users (in favour of the more restricted service role) may work, it would not make sense currently for the ceilometer user (absent compensating changes to the nova-api RBAC policies).
Comment 2 Attila Fazekas 2015-03-02 07:32:05 EST
These services expected to work without admin role.
"cinder": "service"
"glance": "service"
"neutron": "service"
"sahara": "service"
"trove": "service"
"zaqar": "service"

These services MAY needs some additional configuration:

"swift": "admin" (an Ironic related setup mentioned where the admin role was needed)
"ironic": "admin"
"ceilometer": "admin"
"heat": "admin"
"nova": "admin" (if the client services uses the same "nova" account)

BTW: Neutron MAY have have dedicated account for accessing nova.
`neutron-nova` named service user MAYbe created for this purpose.
Comment 5 Christopher Brown 2017-06-17 12:50:34 EDT
I think this bug is stale and should be closed?

Note You need to log in before you can comment on or make changes to this bug.