Nova user should not have admin role
Bug #1445199 reported by
Brant Knudson
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Low
|
Unassigned | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
devstack |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Most of the service users are granted the 'service' role on the 'service' project, except the 'nova' user which is given 'admin'. The 'nova' user should also be given only the 'service' role on the 'service' project.
This is for security hardening.
Changed in ossa: | |
status: | Incomplete → Invalid |
Changed in nova: | |
assignee: | nobody → Nazeema Begum (nazeema123) |
Changed in nova: | |
assignee: | Nazeema Begum (nazeema123) → nobody |
Changed in devstack: | |
assignee: | Brant Knudson (blk-u) → nobody |
To post a comment you must log in.
I think the reason the 'nova' user needs the 'admin' role is because neutron uses it to send a network allocation event back to nova. Nova should be configured by default to allow users with the 'service' role to do this operation and not require the 'admin' role.