[Yahoo-eng-team] [Bug 1445199] Re: Nova user should not have admin role
Devstack is meant to provide a deployment suitable for development, not a hardened setup that could be used in production. While it could adopt this if Nova supported it, I'll mark the bug as invalid for devstack. ** Changed in: devstack Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445199 Title: Nova user should not have admin role Status in devstack: Invalid Status in OpenStack Compute (nova): Confirmed Status in OpenStack Security Advisory: Invalid Bug description: Most of the service users are granted the 'service' role on the 'service' project, except the 'nova' user which is given 'admin'. The 'nova' user should also be given only the 'service' role on the 'service' project. This is for security hardening. To manage notifications about this bug go to: https://bugs.launchpad.net/devstack/+bug/1445199/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445199] Re: Nova user should not have admin role
** Changed in: ossa Status: Incomplete => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445199 Title: Nova user should not have admin role Status in devstack - openstack dev environments: In Progress Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Invalid Bug description: Most of the service users are granted the 'service' role on the 'service' project, except the 'nova' user which is given 'admin'. The 'nova' user should also be given only the 'service' role on the 'service' project. This is for security hardening. To manage notifications about this bug go to: https://bugs.launchpad.net/devstack/+bug/1445199/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445199] Re: Nova user should not have admin role
In your bug description you indicate this is only a security hardening measure, but now you've switched the bug type to indicate it's an exploitable security vulnerability. Also this looks like a duplicate of bug 1445475 reported against nova. ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Status: New => Incomplete -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445199 Title: Nova user should not have admin role Status in devstack - openstack dev environments: New Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: Most of the service users are granted the 'service' role on the 'service' project, except the 'nova' user which is given 'admin'. The 'nova' user should also be given only the 'service' role on the 'service' project. This is for security hardening. To manage notifications about this bug go to: https://bugs.launchpad.net/devstack/+bug/1445199/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1445199] Re: Nova user should not have admin role
I think the reason the 'nova' user needs the 'admin' role is because neutron uses it to send a network allocation event back to nova. Nova should be configured by default to allow users with the 'service' role to do this operation and not require the 'admin' role. ** Information type changed from Public to Public Security ** Also affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1445199 Title: Nova user should not have admin role Status in devstack - openstack dev environments: New Status in OpenStack Compute (Nova): New Bug description: Most of the service users are granted the 'service' role on the 'service' project, except the 'nova' user which is given 'admin'. The 'nova' user should also be given only the 'service' role on the 'service' project. This is for security hardening. To manage notifications about this bug go to: https://bugs.launchpad.net/devstack/+bug/1445199/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp