neutron

Neutron does not work by default without a keystone admin user

Bug #1346778 reported by Kevin Benton on 2014-07-22

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Ceilometer	Invalid	Undecided	Unassigned
	neutron	Expired	Undecided	Unassigned

Bug Description

The default neutron policy.json 'context_is_admin' only matches on 'role:admin' and the account that neutron is configured with must match 'context_is_admin' for neutron to function correctly. This means that without modifying policy.json, a deployer cannot use a non-admin account for neutron.

The policy.json keywords have no way to match the username of the neutron keystone credentials. This means that policy.json has to be modified for every deployment that doesn't use an admin user to match the keystone user neutron is configured with.

This seems like an unnecessary burden to leave to deployers to achieve a secure deployment.

See original description

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-22: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/108598

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)
status:	New → In Progress

Kevin Benton (kevinbenton) on 2014-08-04

summary:

- neutron policy can't match neutron keystone user
+ Neutron does not work without a keystone admin user

Kevin Benton (kevinbenton) on 2014-08-05

description:

updated

Kevin Benton (kevinbenton) on 2014-08-05

summary:

- Neutron does not work without a keystone admin user
+ Neutron does not work by default without a keystone admin user

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-05: Change abandoned on neutron (master)

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/108598
Reason: This code is bad and I should feel bad.

Kevin Benton (kevinbenton) on 2015-04-17

Changed in neutron:
assignee:	Kevin Benton (kevinbenton) → nobody
status:	In Progress → Opinion

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-04-17:

I had an approach to have a special username matching keyword for policy.json to address this. It was wildly unpopular.

The general consensus was to add a role in the deployment and match based on that.

Changed in neutron:
status:	Opinion → Confirmed

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-04-17:

neutron policy.json should be able to use role:service for the operations that nova needs to do... are there other operations that should not be admin-only?

Also, a different role could be used for other operations, then the user wouldn't have admin auth on keystone, too.

Revision history for this message

Brant Knudson (blk-u) wrote on 2015-04-24:

There appears to be a similar issue for ceilometer -- it needs admin role when it should not.

Revision history for this message

gordon chung (chungg) wrote on 2016-03-10:

tbh, i'm not sure how this relates to ceilometer. (i realise the delay, i've been casually looking at this every so often and scratching my head)

Changed in ceilometer:
status:	New → Incomplete

Armando Migliaccio (armando-migliaccio) on 2016-07-13

tags:	added: low-hanging-fruit
Changed in neutron:
status:	Confirmed → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-09-11:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

gordon chung (chungg) on 2016-11-02

Changed in ceilometer:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1445475

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.