From 9d52fb6352ede75ed4b2e4691bd5fd1a39b6f09e Mon Sep 17 00:00:00 2001
From: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Date: Tue, 2 Feb 2016 14:24:44 -0300
Subject: Do not assign admin to service users

As pointed out by Brant Knudson in change [1], the sample policy file
allows the service user to validate tokens [2], so service users don't
need 'admin' role, they only need 'service'.

This patch adds the 'service' role creation to our tools/sample_data.sh
and updates service roles to it rather than 'admin'.

[1] Iebc4f6b005e0466fe60691d964c7dea0e0eee947
[2] http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.json#n94

Change-Id: I3336514f7a2e1e749908d92b693d765c3ed48f51
---
 tools/sample_data.sh | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/tools/sample_data.sh b/tools/sample_data.sh
index bf96023f5..ce4074312 100755
--- a/tools/sample_data.sh
+++ b/tools/sample_data.sh
@@ -32,11 +32,11 @@
 # Tenant               User      Roles
 # -------------------------------------------------------
 # demo                 admin     admin
-# service              glance    admin
-# service              nova      admin
-# service              ec2       admin
-# service              swift     admin
-# service              neutron   admin
+# service              glance    service
+# service              nova      service
+# service              ec2       service
+# service              swift     service
+# service              neutron   service
 
 # By default, passwords used are those in the OpenStack Install and Deploy Manual.
 # One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
@@ -100,6 +100,14 @@ function get_id () {
     echo `"$@" | grep ' id ' | awk '{print $4}'`
 }
 
+#
+# Roles
+#
+
+openstack role create admin
+
+openstack role create service
+
 #
 # Default tenant
 #
@@ -109,8 +117,6 @@ openstack project create demo \
 openstack user create admin --project demo \
                       --password "${ADMIN_PASSWORD}"
 
-openstack role create admin
-
 openstack role add --user admin \
                    --project demo\
                    admin
@@ -126,35 +132,35 @@ openstack user create glance --project service\
 
 openstack role add --user glance \
                    --project service \
-                   admin
+                   service
 
 openstack user create nova --project service\
                       --password "${NOVA_PASSWORD}"
 
 openstack role add --user nova \
                    --project service \
-                   admin
+                   service
 
 openstack user create ec2 --project service \
                       --password "${EC2_PASSWORD}"
 
 openstack role add --user ec2 \
                    --project service \
-                   admin
+                   service
 
 openstack user create swift --project service \
                       --password "${SWIFT_PASSWORD}" \
 
 openstack role add --user swift \
                    --project service \
-                   admin
+                   service
 
 openstack user create neutron --project service \
                       --password "${NEUTRON_PASSWORD}" \
 
 openstack role add --user neutron \
                    --project service \
-                   admin
+                   service
 
 #
 # Keystone service
-- 
cgit v1.2.1