neutron service user should not require admin
Bug #1445475 reported by
Brant Knudson
This bug report is a duplicate of:
Bug #1346778: Neutron does not work by default without a keystone admin user.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned | ||
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
The typical config has nova using the 'neutron' user in the 'service' project to do operations against Neutron. The 'neutron' user should not require the 'admin' role on the 'service' project to do all the operations it needs to do against Neutron. Neutron's default policy.json should allow the 'neutron' user (i.e., users with the 'service' role) to do all the operations it needs to do against Neutron, rather than requiring 'admin'.
Nova is allocating networks and creating ports, so these operations need to allow the 'service' role to perform these operations, too.
To post a comment you must log in.
Giving the neutron user the admin role gives it too much authority, and is a potential privilege escalation.