Neutron does not work by default without a keystone admin user
Bug #1346778 reported by
Kevin Benton
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceilometer |
Invalid
|
Undecided
|
Unassigned | ||
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
The default neutron policy.json 'context_is_admin' only matches on 'role:admin' and the account that neutron is configured with must match 'context_is_admin' for neutron to function correctly. This means that without modifying policy.json, a deployer cannot use a non-admin account for neutron.
The policy.json keywords have no way to match the username of the neutron keystone credentials. This means that policy.json has to be modified for every deployment that doesn't use an admin user to match the keystone user neutron is configured with.
This seems like an unnecessary burden to leave to deployers to achieve a secure deployment.
summary: |
- neutron policy can't match neutron keystone user + Neutron does not work without a keystone admin user |
description: | updated |
summary: |
- Neutron does not work without a keystone admin user + Neutron does not work by default without a keystone admin user |
Changed in neutron: | |
assignee: | Kevin Benton (kevinbenton) → nobody |
status: | In Progress → Opinion |
tags: | added: low-hanging-fruit |
Changed in neutron: | |
status: | Confirmed → Incomplete |
Changed in ceilometer: | |
status: | Incomplete → Invalid |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/108598
Review: https:/