Open Stack

Hey Sean,


On 06/05/2021 18:29, Sean Mooney wrote:
> that woudl make sense give the externa event api is admin only and only inteed to be use by services
> so the fix would be for cidner to use an admin credtial not the user one to send the event to nova.

Thanks, yes and that can just be achieved by configuring one which is 
then used for such calls.

But instead of a fully privileged "admin" user there rather should exist 
a proper RBAC role to only allow one service (cinder in this case) to do 
what it required to function (e.g. send events to Nova) and not just 
"everything for every other service". This first of all violates the 
least privilege principle, but in an ecosystem that made up of 
individual projects of varying security qualities and which are highly 
distributed it's just a bad idea to give every component and their dog 
the keys to the kindom.

There was a forum on exactly that issue at the Summit and how that is 
one aspect of the RBAC , see the etherpad: 
https://etherpad.opendev.org/p/deprivilization-of-service-accounts


Regards


Christian