Service users and permissions

Edit online

During PowerVC installation, several operating system user accounts are created for the services that make up PowerVC (for example, nova, for the OpenStack compute service). But the services are launched and run as those users rather than as a root user for improved security. Sometimes a service might need to run a command that is restricted to the root user. To run a command that is restricted to the root user, PowerVC also configures filters that allow root access for specific commands through sudo.

Make sure that the sudo file has #includedir /etc/sudoers.d/ entry so that the sudo access is not blocked. This feature follows the OpenStack model. These service accounts are also used to secure inter-service communication sometimes, by using complex random passwords.

Note: The following users are PowerVC users and are local system accounts with no login access. These users must not be managed by LDAP and must not have a password expiration policy.
  • apache
  • garb
  • memcached
  • hacluster
  • haproxy
  • mysql
  • epmd
  • rabbitmq
  • zookeeper
  • glance
  • neutron
  • gnocchi
  • ceilometer
  • panko
  • cinder
  • nova
  • keystone
  • bumblebee
  • placement
  • swift
  • blazar
  • ttv-validation
  • clerk
  • mongod
  • pvcui
  • squall

SQL-based authentication for service users

The SQL driver is now Keystone's default identity driver for internal service users. Passwords for these service users are not set at the operating system level. Instead, service users and passwords are created in the Keystone database by using the SQL driver. These credentials are used in the respective service configuration files as before. You can change passwords for these service users by using CLI command. For details, see CLI commands.