Bug 1956280
Summary: | [RFE] Deploy secure RBAC for Cinder via TripleO | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Giulio Fidente <gfidente> |
Component: | openstack-tripleo-heat-templates | Assignee: | Alan Bishop <abishop> |
Status: | CLOSED ERRATA | QA Contact: | Joe H. Rahme <jhakimra> |
Severity: | low | Docs Contact: | |
Priority: | high | ||
Version: | 17.0 (Wallaby) | CC: | gcharot, jraju, mariel, mburns, nlevinki, spower, tshefi, vimartin |
Target Milestone: | beta | Keywords: | FutureFeature, TechPreview, Triaged |
Target Release: | 17.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-heat-templates-14.3.1-0.20220317195120.4b13772 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-09-21 12:14:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1326396 | ||
Bug Blocks: | 1381612 |
Description
Giulio Fidente
2021-05-03 11:39:51 UTC
The approach to be taken for OSP-17 will use a policy override file generated via THT's CinderApiPolicies parameter. Patch on stable/wallaby has already been imported into rhos-17.0-trunk-patches, so just waiting for an updated compose. *** Bug 1326396 has been marked as a duplicate of this bug. *** Verified on: openstack-tripleo-heat-templates-14.3.1-0.20220628111342.7c969c5.el9ost.noarch Added srbac yaml to my overcloud_deploy.sh: /usr/share/openstack-tripleo-heat-templates/environments/enable-secure-rbac.yaml The expected policy.yaml shows up under Cinder's config dir: [root@controller-2 ~]# cd /var/lib/config-data/puppet-generated/cinder/etc/cinder/ [root@controller-2 cinder]# ll total 204 -rw-r-----. 1 root 42407 194748 Jul 5 20:14 cinder.conf -rw-r-----. 1 root 42407 9652 Jul 5 20:14 policy.yaml [root@controller-2 cinder]# head policy.yaml 'admin_api': 'is_admin:True or (role:admin and is_admin_project:True)' 'admin_or_owner': 'is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s' 'backup:backup-import': 'rule:admin_api' 'backup:backup_project_attribute': 'rule:admin_api' 'backup:create': 'rule:system_admin_or_project_member' 'backup:delete': 'rule:system_admin_or_project_member' 'backup:export-import': 'rule:admin_api' 'backup:get': 'rule:system_admin_or_project_reader' 'backup:get_all': 'rule:system_admin_or_project_reader' 'backup:restore': 'rule:system_admin_or_project_member' ... .. As far as getting the tripleo/deployment part of secure RBAC for Cinder we're good to verify. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543 |