I had an approach to have a special username matching keyword for
policy.json to address this. It was wildly unpopular.
The general consensus was to add a role in the deployment and match
based on that.
** Changed in: neutron
Assignee: Kevin Benton (kevinbenton) => (unassigned)
** Changed in: neutron
Status: In Progress => Opinion
** Changed in: neutron
Status: Opinion => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1346778
Title:
Neutron does not work by default without a keystone admin user
Status in OpenStack Neutron (virtual network service):
Confirmed
Bug description:
The default neutron policy.json 'context_is_admin' only matches on
'role:admin' and the account that neutron is configured with must
match 'context_is_admin' for neutron to function correctly. This means
that without modifying policy.json, a deployer cannot use a non-admin
account for neutron.
The policy.json keywords have no way to match the username of the
neutron keystone credentials. This means that policy.json has to be
modified for every deployment that doesn't use an admin user to match
the keystone user neutron is configured with.
This seems like an unnecessary burden to leave to deployers to achieve
a secure deployment.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1346778/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
