Bug 1956280

Summary: [RFE] Deploy secure RBAC for Cinder via TripleO
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: openstack-tripleo-heat-templatesAssignee: Alan Bishop <abishop>
Status: CLOSED ERRATA QA Contact: Joe H. Rahme <jhakimra>
Severity: low Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: gcharot, jraju, mariel, mburns, nlevinki, spower, tshefi, vimartin
Target Milestone: betaKeywords: FutureFeature, TechPreview, Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20220317195120.4b13772 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:14:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1326396    
Bug Blocks: 1381612    

Description Giulio Fidente 2021-05-03 11:39:51 UTC 
Enable secure RBAC for/in Cinder when deploying via TripleO

https://etherpad.opendev.org/p/policy-popup-xena-ptg
Comment 2 Alan Bishop 2021-10-08 17:46:19 UTC 
The approach to be taken for OSP-17 will use a policy override file generated via THT's CinderApiPolicies parameter.
Comment 3 Alan Bishop 2022-01-04 19:23:40 UTC 
Patch on stable/wallaby has already been imported into rhos-17.0-trunk-patches, so just waiting for an updated compose.
Comment 5 Brian Rosmaita 2022-05-31 13:28:18 UTC 
*** Bug 1326396 has been marked as a duplicate of this bug. ***
Comment 6 Tzach Shefi 2022-07-21 06:26:30 UTC 
Verified on:
openstack-tripleo-heat-templates-14.3.1-0.20220628111342.7c969c5.el9ost.noarch

Added srbac yaml to my overcloud_deploy.sh:
/usr/share/openstack-tripleo-heat-templates/environments/enable-secure-rbac.yaml 

The expected policy.yaml shows up under Cinder's config dir:

[root@controller-2 ~]# cd /var/lib/config-data/puppet-generated/cinder/etc/cinder/
[root@controller-2 cinder]# ll
total 204
-rw-r-----. 1 root 42407 194748 Jul  5 20:14 cinder.conf
-rw-r-----. 1 root 42407   9652 Jul  5 20:14 policy.yaml


[root@controller-2 cinder]# head policy.yaml 
'admin_api': 'is_admin:True or (role:admin and is_admin_project:True)'
'admin_or_owner': 'is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s'
'backup:backup-import': 'rule:admin_api'
'backup:backup_project_attribute': 'rule:admin_api'
'backup:create': 'rule:system_admin_or_project_member'
'backup:delete': 'rule:system_admin_or_project_member'
'backup:export-import': 'rule:admin_api'
'backup:get': 'rule:system_admin_or_project_reader'
'backup:get_all': 'rule:system_admin_or_project_reader'
'backup:restore': 'rule:system_admin_or_project_member'
...
..

As far as getting the tripleo/deployment part of secure RBAC for Cinder we're good to verify.
Comment 15 errata-xmlrpc 2022-09-21 12:14:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543