Use service role for neutron instead of admin
When creating the account for neutron to use in keystone,
give it a service role instead of an admin role so it isn't
overprivileged with the ability to create and delete tenants.
Also set the Neutron policy.json file to allow the Neutron
account to administer Neutron.
Closes-Bug: #1344463
Change-Id: I86b15cfcffe549654c28f425c2bcf99403ac10bc
diff --git a/lib/neutron b/lib/neutron
index 81f2697..a48f519 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -457,13 +457,13 @@
function create_neutron_accounts {
local service_tenant=$(openstack project list | awk "/ $SERVICE_TENANT_NAME / { print \$2 }")
- local admin_role=$(openstack role list | awk "/ admin / { print \$2 }")
+ local service_role=$(openstack role list | awk "/ service / { print \$2 }")
if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
local neutron_user=$(get_or_create_user "neutron" \
"$SERVICE_PASSWORD" $service_tenant)
- get_or_add_user_role $admin_role $neutron_user $service_tenant
+ get_or_add_user_role $service_role $neutron_user $service_tenant
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
@@ -889,6 +889,9 @@
cp $NEUTRON_DIR/etc/api-paste.ini $Q_API_PASTE_FILE
cp $NEUTRON_DIR/etc/policy.json $Q_POLICY_FILE
+ # allow neutron user to administer neutron to match neutron account
+ sed -i 's/"context_is_admin": "role:admin"/"context_is_admin": "role:admin or user_name:neutron"/g' $Q_POLICY_FILE
+
# Update either configuration file with plugin
iniset $NEUTRON_CONF DEFAULT core_plugin $Q_PLUGIN_CLASS