A few in-flight thoughts:
Nova is the only service that accesses Neutron directly using its service account.
Other inter-service RPC either uses the end-users token or the Message Queue. We might want to consider just granting the nova service account elevated access to Neutron and not all service accounts in general.
I will verify, test and propose fixes along these lines ASAP.
A few in-flight thoughts:
Nova is the only service that accesses Neutron directly using its service account.
Other inter-service RPC either uses the end-users token or the Message Queue. We might want to consider just granting the nova service account elevated access to Neutron and not all service accounts in general.
I will verify, test and propose fixes along these lines ASAP.