Do not assign admin to service users

As pointed out by Brant Knudson in change [1], the sample policy file allows the service user to validate tokens [2], so service users don't need 'admin' role, they only need 'service'. This patch adds the 'service' role creation to our tools/sample_data.sh and updates service roles to it rather than 'admin'. [1] Iebc4f6b005e0466fe60691d964c7dea0e0eee947 [2] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n94 Change-Id: I3336514f7a2e1e749908d92b693d765c3ed48f51
2016-02-02 14:24:44 -03:00 · 2016-02-02 14:24:44 -03:00 · 9d52fb6352
commit 9d52fb6352
parent 19f3ad9eca
1 changed files with 18 additions and 12 deletions
--- a/tools/sample_data.sh
+++ b/tools/sample_data.sh
@ -32,11 +32,11 @@
 # Tenant               User      Roles
 # -------------------------------------------------------
 # demo                 admin     admin
-# service              glance    admin
-# service              nova      admin
-# service              ec2       admin
-# service              swift     admin
-# service              neutron   admin
+# service              glance    service
+# service              nova      service
+# service              ec2       service
+# service              swift     service
+# service              neutron   service

 # By default, passwords used are those in the OpenStack Install and Deploy Manual.
 # One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
@ -100,6 +100,14 @@ function get_id () {
    echo `"$@" | grep ' id ' | awk '{print $4}'`
 }

+#
+# Roles
+#
+
+openstack role create admin
+
+openstack role create service
+
 #
 # Default tenant
 #
@ -109,8 +117,6 @@ openstack project create demo \
 openstack user create admin --project demo \
                      --password "${ADMIN_PASSWORD}"

-openstack role create admin
-
 openstack role add --user admin \
                   --project demo\
                   admin
@ -126,35 +132,35 @@ openstack user create glance --project service\

 openstack role add --user glance \
                   --project service \
-                   admin
+                   service

 openstack user create nova --project service\
                      --password "${NOVA_PASSWORD}"

 openstack role add --user nova \
                   --project service \
-                   admin
+                   service

 openstack user create ec2 --project service \
                      --password "${EC2_PASSWORD}"

 openstack role add --user ec2 \
                   --project service \
-                   admin
+                   service

 openstack user create swift --project service \
                      --password "${SWIFT_PASSWORD}" \

 openstack role add --user swift \
                   --project service \
-                   admin
+                   service

 openstack user create neutron --project service \
                      --password "${NEUTRON_PASSWORD}" \

 openstack role add --user neutron \
                   --project service \
-                   admin
+                   service

 #
 # Keystone service