Bug 1890785

Summary: [RFE] Implement Secure RBAC Project Scoped Personas within ironic
Product: Red Hat OpenStack Reporter: Harry Rybacki <hrybacki>
Component: openstack-ironicAssignee: Julia Kreger <jkreger>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: bfournie, broose, chrisw, cylopez, djuran, dtantsur, ekuris, gouthamr, hrybacki, igallagh, igarciam, jhakimra, jkreger, jparoly, jraju, mariel, mburns, molasaga, morazi, nkinder, nlevinki, nsatsia, pweeks, racedoro, rpittau, scohen, spower, srevivo, vhariria
Target Milestone: AlphaKeywords: FutureFeature, TechPreview, Triaged
Target Release: 17.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-ironic-17.0.4-0.20210803051805.42ddb40.el8ost openstack-ironic-inspector-10.6.1-0.20210607161808.0d868c6.el8ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1888788 Environment:
Last Closed: 2022-09-21 12:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1228474, 1326391, 1801416, 1888788, 1904499    
Bug Blocks: 1381612, 1566243, 2125342    

Comment 1 Julia Kreger 2020-11-10 21:42:39 UTC 
Greetings,

Could we get some clarity as to what is actually required/expected. A baremetal_observer role is already available as the "observer" or "baremetal_observer" role if granted, and "baremetal_admin" for administrator usage. I guess what this ultimately means is this is a rather confusing BZ at this time, Any clarity you can provide would be much appreciated.
Comment 4 Julia Kreger 2021-03-18 19:28:22 UTC 
A huge series of patches have almost merged upstream. One or two minor patches in final sequence for the service. All patches have the "secure-rbac" topic upstream against the ironic and ironic-inspector repository.
Comment 13 Julia Kreger 2021-08-23 17:30:38 UTC 
Moving to modified state as the work has been completed in Ironic and Ironic Inpsector.

In terms of ironic-inspector, and specifically project scoped personas, such access is out of scope for Inspector as it is a system service for data collection. Workflows *are* possible where ironic can be asked directly to trigger inspection, should someone still need introspection to occur, but again, that pattern is out of scope of it's use and unlikely to ever be supported given the operational role and position in any hardware interaction workflow.
Comment 23 errata-xmlrpc 2022-09-21 12:12:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543