yahoo-eng-team team mailing list archive

[Kevin Benton <1346778@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

The policy.json keywords have no way to match the username of the
neutron keystone credentials. This is relevant because neutron is
overprivileged when it has an admin account. To solve this, a deployer
can give it an account with the service role instead of the admin role.
However, for this to work the deployer has to then modify the is_admin
rule in policy.json to hardcode in the user_name or user_id used by
neutron so it can promote that account to admin-level operations inside
of neutron.

** Affects: neutron
     Importance: Undecided
     Assignee: Kevin Benton (kevinbenton)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1346778

Title:
  neutron policy can't match neutron keystone user

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  The policy.json keywords have no way to match the username of the
  neutron keystone credentials. This is relevant because neutron is
  overprivileged when it has an admin account. To solve this, a deployer
  can give it an account with the service role instead of the admin
  role. However, for this to work the deployer has to then modify the
  is_admin rule in policy.json to hardcode in the user_name or user_id
  used by neutron so it can promote that account to admin-level
  operations inside of neutron.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1346778/+subscriptions