Reduce service user permissions
Most of the services create the service user with the admin permission.
This is unnecessary for token validation and they should be restricted
to only having the service role.
Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
diff --git a/lib/ceilometer b/lib/ceilometer
index f03bab2..8fff910 100644
--- a/lib/ceilometer
+++ b/lib/ceilometer
@@ -108,7 +108,7 @@
# Ceilometer
if [[ "$ENABLED_SERVICES" =~ "ceilometer-api" ]]; then
- create_service_user "ceilometer" "admin"
+ create_service_user "ceilometer"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
local ceilometer_service=$(get_or_create_service "ceilometer" \
diff --git a/lib/cinder b/lib/cinder
index 12ba51e..17a0cc3 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -333,7 +333,7 @@
# Cinder
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
- create_service_user "cinder" "admin"
+ create_service_user "cinder"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/ironic b/lib/ironic
index 921bcf1..bed816e 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -362,7 +362,7 @@
if [[ "$ENABLED_SERVICES" =~ "ir-api" ]]; then
# Get ironic user if exists
- create_service_user "ironic" "admin"
+ create_service_user "ironic"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/nova b/lib/nova
index c760066..6a149af 100644
--- a/lib/nova
+++ b/lib/nova
@@ -356,6 +356,8 @@
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
+ # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses
+ # this service user when notifying nova of changes and that requires the admin role.
create_service_user "nova" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/sahara b/lib/sahara
index b3ca32f..db200cc 100644
--- a/lib/sahara
+++ b/lib/sahara
@@ -61,7 +61,7 @@
# service sahara admin
function create_sahara_accounts {
- create_service_user "sahara" "admin"
+ create_service_user "sahara"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/swift b/lib/swift
index d9f750c..31a1ba1 100644
--- a/lib/swift
+++ b/lib/swift
@@ -603,7 +603,7 @@
local another_role=$(openstack role list | awk "/ anotherrole / { print \$2 }")
- create_service_user "swift" "admin"
+ create_service_user "swift"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/trove b/lib/trove
index d32c776..e1b307a 100644
--- a/lib/trove
+++ b/lib/trove
@@ -81,7 +81,7 @@
function create_trove_accounts {
if [[ "$ENABLED_SERVICES" =~ "trove" ]]; then
- create_service_user "trove" "admin"
+ create_service_user "trove"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
diff --git a/lib/zaqar b/lib/zaqar
index 8b560bb..4a24415 100644
--- a/lib/zaqar
+++ b/lib/zaqar
@@ -215,7 +215,7 @@
}
function create_zaqar_accounts {
- create_service_user "zaqar" "admin"
+ create_service_user "zaqar"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then