Nova user should not have admin role

I think the reason the 'nova' user needs the 'admin' role is because neutron uses it to send a network allocation event back to nova. Nova should be configured by default to allow users with the 'service' role to do this operation and not require the 'admin' role.

In your bug description you indicate this is only a security hardening measure, but now you've switched the bug type to indicate it's an exploitable security vulnerability. Also this looks like a duplicate of bug 1445475 reported against nova.

Switched back to not security since there's no exploit as far as I know.

Fix proposed to branch: master
Review: https://review.openstack.org/175222

Is it related to nova ? looks to me seems it's devstack changes needed? thanks

The change in devstack isn't going to work until nova is updated.

The crux of this issue is:

http://logs.openstack.org/22/175222/3/check/gate-tempest-dsvm-neutron-full/d016488/logs/screen-q-svc.txt.gz?level=ERROR#_2015-10-21_20_09_01_058

2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova [-] Failed to notify nova on events: [{'status': 'completed', 'tag': u'd6bd328d-902d-4a75-9d5e-b6720b145389', 'name': 'network-vif-plugged', 'server_uuid': u'a62cb874-d793-4e17-86b0-d38343e2e9e5'}]
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova Traceback (most recent call last):
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova File "/opt/stack/new/neutron/neutron/notifiers/nova.py", line 247, in send_events
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova batched_events)
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova File "/usr/local/lib/python2.7/dist-packages/novaclient/v2/contrib/server_external_events.py", line 39, in create
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova return_raw=True)
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova File "/usr/local/lib/python2.7/dist-packages/novaclient/base.py", line 172, in _create
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova _resp, body = self.api.client.post(url, body=body)
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 176, in post
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova return self.request(url, 'POST', **kwargs)
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 93, in request
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova raise exceptions.from_response(resp, body, url, method)
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova Forbidden: Policy doesn't allow os_compute_api:os-server-external-events:create to be performed. (HTTP 403) (Request-ID: req-ca76a78f-4537-48a8-bb2c-ffceaa7e276e)
2015-10-21 20:09:01.058 7195 ERROR neutron.notifiers.nova

The question in comment #5 (-> incomplete) got answered in comment #6.
From a discussion with the keystone folks in IRC [1] it seems that
Nova has to create a change for that (-> Confirmed).

Please also be aware of bug 1464750 and bug 968696 which have a lot
of overlap with this bug report here.

References:
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-03-08.log.html#t2016-03-08T19:17:20

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/175222
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Devstack is meant to provide a deployment suitable for development, not a hardened setup that could be used in production. While it could adopt this if Nova supported it, I'll mark the bug as invalid for devstack.