devstack should create admin tenant, users for each service, and associated role for each
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
devstack |
Fix Released
|
Undecided
|
Joseph Heck |
Bug Description
within keystone_data.sh:
* devstack should create a tenant named "service"
* and keystone users for each service enabled in : ['nova', 'glance', 'horizon', 'quantum', 'swift']
* the script should also assign the role "admin" for each of those users against the tenant "service"
from associated thread on http://
devstack should create tenant named "service", and users named "nova", "glance", "quantum", ... (or just a couple and describe that you could create an arbitrary number of users per service deployments)
(termie) sure, "service" or "admin"
(jesse) I'd like to have a name we recommend to deployers/operators to use - and service seems better?(jay) service is good. admins are people... services are, well, services.
(termie) sure, i can get behind that -thrust-
(jesse) then should we use a role "service" or "admin:service" or ?
(jay) For the service role, I think the role should just be "super" or something like that, meaning no restrictions on use. Different from admin in that I view the term "admin" as a role for users, not services.
(termie) well, right now there is only one admin role, so we are going to use that
(jesse) for today ADMIN, for essex should we have a bug to use a different name (thinking of documentation)
(termie) i feel like it is a relatively "new" feature to provide the granular access to things since to now we've only done admin, we could do it but it will require a lot of testing to get correct since it is adding additional permissions that weren't checked before
(jesse) :( we should NOT change it if it adds anything more than a small risk..(jay) agreed, certainly for Essex.
(termie) once i drop policy.py in this mofo i think we can at least experiment with it and if we feel really good about it we could make teh decision
(jesse) eta for drop of policy - e4? (tonight)
(termie) yes, at that point we can experiment with things, but the initial implementation will be no change to current policy (you are an admin or you are a public user)
Changed in devstack: | |
status: | New → Confirmed |
description: | updated |
Changed in devstack: | |
assignee: | nobody → Dean Troyer (dtroyer) |
Changed in devstack: | |
status: | Confirmed → Fix Committed |
Changed in devstack: | |
status: | Fix Committed → Fix Released |
Mostly addressed in https:/ /review. openstack. org/4668. Is a horizon user necessary? This is the first I've even thought about it. If so, should there be a service entry in keystone for it also?