← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1346778] Re: Neutron does not work by default without a keystone admin user

 

I had an approach to have a special username matching keyword for
policy.json to address this. It was wildly unpopular.

The general consensus was to add a role in the deployment and match
based on that.

** Changed in: neutron
     Assignee: Kevin Benton (kevinbenton) => (unassigned)

** Changed in: neutron
       Status: In Progress => Opinion

** Changed in: neutron
       Status: Opinion => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1346778

Title:
  Neutron does not work by default without a keystone admin user

Status in OpenStack Neutron (virtual network service):
  Confirmed

Bug description:
  The default neutron policy.json 'context_is_admin' only matches on
  'role:admin' and the account that neutron is configured with must
  match 'context_is_admin' for neutron to function correctly. This means
  that without modifying policy.json, a deployer cannot use a non-admin
  account for neutron.

  The policy.json keywords have no way to match the username of the
  neutron keystone credentials. This means that policy.json has to be
  modified for every deployment that doesn't use an admin user to match
  the keystone user neutron is configured with.

  This seems like an unnecessary burden to leave to deployers to achieve
  a secure deployment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1346778/+subscriptions


References