Are there any docs or guides that describe best practices for setting up compute nodes with least privileges to mitigate the impact if an individual compute node is compromised?
For example, I tried using a non-admin service tenant account for the nova.conf->neutron_admin_* settings on my compute nodes, but attempts to create a VM fail with "Error: Specifying 'tenant_id' other than authenticated tenant in request requires admin privileges" so it seems nova-compute needs an admin account when accessing the networking APIs during VM creation. Is there a way around that so I can give my compute nodes access with deprivileged accounts? I looked through the security guide, but it doesn't seem to go into this detail. Thanks! Daniel
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
