Assign project-scoped service role for token validation
When SRBAC is enforced(*1), keystone requires one of the following conditions for validate token api. 1) The user has the service role assigned 2) The user is a system reader 3) The user generated the token When authtoken middleware validates tokens in requests, it uses service users to call the validate_token API of Keystone. In this case the condition 3 is never met(The token is generated by an external user while it is validated by the service user used in API). In addition, currently all credentials used for authtoken middleware are project-scoped, not system-scoped, so condition 2 is never met(*2) if SRBAC is enforced. This change adds the project-scoped service role to all service users so that all service users can use the validate_token API even if SRBAC is enforced. An alternative approach would be assign the system-scoped reader role for these users and replace credentials for authtoken middleware by system scoped one, but we are likely to need additional considerations to establish proper design of system-scoped role assignment. (*1) When scope evaluation is enforced(enforce_scope=True) and new rules are enforced(enforce_new_defaults=True) (*2) There are a few exceptions like the nova user which already have the project-scoped service role to use the service token feature. Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24
This commit is contained in:
parent
65c005cf9a
commit
3b80985e56
|
@ -152,6 +152,9 @@ outputs:
|
|||
users:
|
||||
aodh:
|
||||
password: {get_param: AodhPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'alarming'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
|
||||
|
|
|
@ -212,6 +212,9 @@ outputs:
|
|||
users:
|
||||
barbican:
|
||||
password: {get_param: BarbicanPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'key-manager'
|
||||
roles:
|
||||
|
|
|
@ -80,6 +80,7 @@ outputs:
|
|||
password: {get_param: CeilometerPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [CeilometerServiceBase, role_data, config_settings]
|
||||
|
|
|
@ -94,6 +94,9 @@ outputs:
|
|||
users:
|
||||
designate:
|
||||
password: {get_param: DesignatePassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'dns'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
|
||||
|
|
|
@ -443,6 +443,9 @@ outputs:
|
|||
users:
|
||||
glance:
|
||||
password: {get_param: GlancePassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'image'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
||||
|
|
|
@ -178,6 +178,9 @@ outputs:
|
|||
users:
|
||||
gnocchi:
|
||||
password: {get_param: GnocchiPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'metric'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
|
||||
|
|
|
@ -108,6 +108,9 @@ outputs:
|
|||
users:
|
||||
heat-cfn:
|
||||
password: {get_param: HeatPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'cloudformation'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
|
||||
|
|
|
@ -126,6 +126,9 @@ outputs:
|
|||
users:
|
||||
heat:
|
||||
password: {get_param: HeatPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
heat_stack_domain_admin:
|
||||
password: {get_param: HeatStackDomainAdminPassword}
|
||||
roles:
|
||||
|
|
|
@ -270,6 +270,9 @@ outputs:
|
|||
users:
|
||||
ironic-inspector:
|
||||
password: {get_param: IronicPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'baremetal-introspection'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
|
||||
|
|
|
@ -153,6 +153,9 @@ outputs:
|
|||
users:
|
||||
manila:
|
||||
password: {get_param: ManilaPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'share'
|
||||
manilav2:
|
||||
|
@ -163,6 +166,9 @@ outputs:
|
|||
users:
|
||||
manilav2:
|
||||
password: {get_param: ManilaPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'sharev2'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
|
||||
|
|
|
@ -290,6 +290,9 @@ outputs:
|
|||
users:
|
||||
neutron:
|
||||
password: {get_param: NeutronPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'network'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
|
||||
|
|
|
@ -157,6 +157,9 @@ outputs:
|
|||
name: {get_param: OctaviaUserName}
|
||||
password: {get_param: OctaviaPassword}
|
||||
project: {get_param: OctaviaProjectName}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'load-balancer'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
||||
|
|
|
@ -141,6 +141,9 @@ outputs:
|
|||
users:
|
||||
placement:
|
||||
password: {get_param: PlacementPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'placement'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionPlacement}
|
||||
|
|
|
@ -137,6 +137,9 @@ outputs:
|
|||
users:
|
||||
swift:
|
||||
password: {get_param: SwiftPassword}
|
||||
roles:
|
||||
- admin
|
||||
- service
|
||||
region: {get_param: KeystoneRegion}
|
||||
service: 'object-store'
|
||||
roles:
|
||||
|
|
Loading…
Reference in New Issue