[Openstack] Looking for best practices on setting up least-privilege compute nodes

Daniel Hiltgen daniel at netkine.com
Sat Jan 25 01:34:33 UTC 2014


Are there any docs or guides that describe best practices for setting up
compute nodes with least privileges to mitigate the impact if an individual
compute node is compromised?

For example, I tried using a non-admin service tenant account for the
nova.conf->neutron_admin_* settings on my compute nodes, but attempts to
create a VM fail with "Error: Specifying 'tenant_id' other than
authenticated tenant in request requires admin privileges" so it seems
nova-compute needs an admin account when accessing the networking APIs
during VM creation.  Is there a way around that so I can give my compute
nodes access with deprivileged accounts?

I looked through the security guide, but it doesn't seem to go into this
detail.

Thanks!
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140124/b3738520/attachment.html>


More information about the Openstack mailing list