Bug 1566724

Summary: Define creator role by default when deploying with Barbican
Product: Red Hat OpenStack Reporter: Ade Lee <alee>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED ERRATA QA Contact: David Rosenfeld <drosenfe>
Severity: low Docs Contact:
Priority: low    
Version: 15.0 (Stein)CC: dh3, hrybacki, jjoyce, josorior, jschluet, mburns, nkinder, pkesavar, rmascena, sclewis, slinaber, srevivo, tshefi, tvignaud
Target Milestone: betaKeywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-11.5.0-0.20200605073426.2a2deaa.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1664428 (view as bug list) Environment:
Last Closed: 2020-07-29 07:49:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1565039, 1664428, 1664429    

Description Ade Lee 2018-04-12 21:09:51 UTC 
Description of problem:

The creator role is required for users to store secrets in Barbican.  See 

https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/manage_secrets_with_openstack_key_manager/#install_barbican

It would be better to create this role and associate users with this role by default.  

In addition, it may be possible to retrofit existing users with this role.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Alan Bishop 2018-04-12 21:17:36 UTC 
Cinder provides a mechanism for migrating encryption keys creating using the legacy ConfKeyManager to Barbican. In order to do that, the cinder service itself needs the creator role. If that role will be automatically added to users then it would be helpful if it could also be added to cinder's service user.
Comment 11 Nathan Kinder 2019-01-08 18:12:57 UTC 
After some discussion, we believe the proper thing to do is to define the creator role by default for a TripleO deployment with Barbican, but we don't want to automatically assume that users should get the "creator" role.  The assignment of this role should be left up to the operator, but we need to at least create the role within keystone at deployment time.  This should be considered a usability bug as opposed to a RFE.
Comment 20 errata-xmlrpc 2020-07-29 07:49:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3148