[Yahoo-eng-team] [Bug 1346778] Re: Neutron does not work by default without a keystone admin user
** Changed in: ceilometer Status: Incomplete => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1346778 Title: Neutron does not work by default without a keystone admin user Status in Ceilometer: Invalid Status in neutron: Expired Bug description: The default neutron policy.json 'context_is_admin' only matches on 'role:admin' and the account that neutron is configured with must match 'context_is_admin' for neutron to function correctly. This means that without modifying policy.json, a deployer cannot use a non-admin account for neutron. The policy.json keywords have no way to match the username of the neutron keystone credentials. This means that policy.json has to be modified for every deployment that doesn't use an admin user to match the keystone user neutron is configured with. This seems like an unnecessary burden to leave to deployers to achieve a secure deployment. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1346778/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1346778] Re: Neutron does not work by default without a keystone admin user
[Expired for neutron because there has been no activity for 60 days.] ** Changed in: neutron Status: Incomplete => Expired -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1346778 Title: Neutron does not work by default without a keystone admin user Status in Ceilometer: Incomplete Status in neutron: Expired Bug description: The default neutron policy.json 'context_is_admin' only matches on 'role:admin' and the account that neutron is configured with must match 'context_is_admin' for neutron to function correctly. This means that without modifying policy.json, a deployer cannot use a non-admin account for neutron. The policy.json keywords have no way to match the username of the neutron keystone credentials. This means that policy.json has to be modified for every deployment that doesn't use an admin user to match the keystone user neutron is configured with. This seems like an unnecessary burden to leave to deployers to achieve a secure deployment. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1346778/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1346778] Re: Neutron does not work by default without a keystone admin user
There appears to be a similar issue for ceilometer -- it needs admin role when it should not. ** Also affects: ceilometer Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1346778 Title: Neutron does not work by default without a keystone admin user Status in OpenStack Telemetry (Ceilometer): New Status in OpenStack Neutron (virtual network service): Confirmed Bug description: The default neutron policy.json 'context_is_admin' only matches on 'role:admin' and the account that neutron is configured with must match 'context_is_admin' for neutron to function correctly. This means that without modifying policy.json, a deployer cannot use a non-admin account for neutron. The policy.json keywords have no way to match the username of the neutron keystone credentials. This means that policy.json has to be modified for every deployment that doesn't use an admin user to match the keystone user neutron is configured with. This seems like an unnecessary burden to leave to deployers to achieve a secure deployment. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1346778/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1346778] Re: Neutron does not work by default without a keystone admin user
I had an approach to have a special username matching keyword for policy.json to address this. It was wildly unpopular. The general consensus was to add a role in the deployment and match based on that. ** Changed in: neutron Assignee: Kevin Benton (kevinbenton) => (unassigned) ** Changed in: neutron Status: In Progress => Opinion ** Changed in: neutron Status: Opinion => Confirmed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1346778 Title: Neutron does not work by default without a keystone admin user Status in OpenStack Neutron (virtual network service): Confirmed Bug description: The default neutron policy.json 'context_is_admin' only matches on 'role:admin' and the account that neutron is configured with must match 'context_is_admin' for neutron to function correctly. This means that without modifying policy.json, a deployer cannot use a non-admin account for neutron. The policy.json keywords have no way to match the username of the neutron keystone credentials. This means that policy.json has to be modified for every deployment that doesn't use an admin user to match the keystone user neutron is configured with. This seems like an unnecessary burden to leave to deployers to achieve a secure deployment. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1346778/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
