Reduce service user permissions
Most of the services create the service user with the admin permission.
This is unnecessary for token validation and they should be restricted
to only having the service role.
Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
diff --git a/lib/nova b/lib/nova
index c760066..6a149af 100644
--- a/lib/nova
+++ b/lib/nova
@@ -356,6 +356,8 @@
# Nova
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
+ # NOTE(jamielennox): Nova doesn't need the admin role here, however neutron uses
+ # this service user when notifying nova of changes and that requires the admin role.
create_service_user "nova" "admin"
if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then