openstack
/
keystone
Code Issues Proposed changes

Do not assign admin to service users 

As pointed out by Brant Knudson in change [1], the sample policy file
allows the service user to validate tokens [2], so service users don't
need 'admin' role, they only need 'service'.

This patch adds the 'service' role creation to our tools/sample_data.sh
and updates service roles to it rather than 'admin'.

[1] Iebc4f6b005e0466fe60691d964c7dea0e0eee947
[2] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n94

Change-Id: I3336514f7a2e1e749908d92b693d765c3ed48f51
This commit is contained in:
Samuel de Medeiros Queiroz 2016-02-02 14:24:44 -03:00
parent 19f3ad9eca
commit 9d52fb6352
1 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
tools/sample_data.sh
View File

@ -32,11 +32,11 @@
# Tenant User Roles # Tenant User Roles
# ------------------------------------------------------- # -------------------------------------------------------
# demo admin admin # demo admin admin
# service glance admin # service glance service
# service nova admin # service nova service
# service ec2 admin # service ec2 service
# service swift admin # service swift service
# service neutron admin # service neutron service
# By default, passwords used are those in the OpenStack Install and Deploy Manual. # By default, passwords used are those in the OpenStack Install and Deploy Manual.
# One can override these (publicly known, and hence, insecure) passwords by setting the appropriate # One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
@ -100,6 +100,14 @@ function get_id () {
echo `"$@" | grep ' id ' | awk '{print $4}'` echo `"$@" | grep ' id ' | awk '{print $4}'`
} }
#
# Roles
#
openstack role create admin
openstack role create service
# #
# Default tenant # Default tenant
# #
@ -109,8 +117,6 @@ openstack project create demo \
openstack user create admin --project demo \ openstack user create admin --project demo \
--password "${ADMIN_PASSWORD}" --password "${ADMIN_PASSWORD}"
openstack role create admin
openstack role add --user admin \ openstack role add --user admin \
--project demo\ --project demo\
admin admin
@ -126,35 +132,35 @@ openstack user create glance --project service\
openstack role add --user glance \ openstack role add --user glance \
--project service \ --project service \
admin service
openstack user create nova --project service\ openstack user create nova --project service\
--password "${NOVA_PASSWORD}" --password "${NOVA_PASSWORD}"
openstack role add --user nova \ openstack role add --user nova \
--project service \ --project service \
admin service
openstack user create ec2 --project service \ openstack user create ec2 --project service \
--password "${EC2_PASSWORD}" --password "${EC2_PASSWORD}"
openstack role add --user ec2 \ openstack role add --user ec2 \
--project service \ --project service \
admin service
openstack user create swift --project service \ openstack user create swift --project service \
--password "${SWIFT_PASSWORD}" \ --password "${SWIFT_PASSWORD}" \
openstack role add --user swift \ openstack role add --user swift \
--project service \ --project service \
admin service
openstack user create neutron --project service \ openstack user create neutron --project service \
--password "${NEUTRON_PASSWORD}" \ --password "${NEUTRON_PASSWORD}" \
openstack role add --user neutron \ openstack role add --user neutron \
--project service \ --project service \
admin service
# #
# Keystone service # Keystone service