Bug 2026029
| Summary: | Support of project owned keys | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Luigi Tamagnone <ltamagno> | |
| Component: | openstack-barbican | Assignee: | Douglas Mendizábal <dmendiza> | |
| Status: | CLOSED ERRATA | QA Contact: | Jeremy Agee <jagee> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 16.1 (Train) | CC: | cmayapka, dasmith, dmendiza, dwilde, eglynn, eolivare, hrybacki, jelynch, jhakimra, jmitterm, jpretori, jschluet, kchamart, lyarwood, pjagtap, sbauza, sgordon, vromanso | |
| Target Milestone: | z9 | Keywords: | Triaged | |
| Target Release: | 16.1 (Train on RHEL 8.2) | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-barbican-9.0.1-1.20220617163753.07be198.el8ost | Doc Type: | Bug Fix | |
| Doc Text: |
Before this update, the secret:delete policy in the Key Manager service (barbican) only allowed users with the Creator role to delete a secret if they were the same user that created the secret. This limitation impacted encrypted workflows because of the mismatch in policy, for example, the Block Storage service (cinder) allows users with a role assignment on the project to delete encrypted volumes. However, the Key Manager service responded with an authorization error because not all users were allowed to delete the secret. With this update, the secret:delete policy in the Key Manager service has been changed to allow users with the Creator role to delete any secret that belongs to the project, not just the ones that they created. All users allowed to delete a Block Storage service encrypted volume are also allowed to delete the associated secret.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2118620 (view as bug list) | Environment: | ||
| Last Closed: | 2022-12-07 20:30:05 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2118620 | |||
|
Description
Luigi Tamagnone
2021-11-23 16:51:44 UTC
Doug, would this be considered an RFE? I'm not sure if this is by design or not. I consider this a bug because the mismatch in policy between Barbican and Cinder breaks some volume workflows. The title and description of this BZ make it seem like an RFE, but that's because this BZ assumes that secrets are not currently owned by a project, which is incorrect. Barbican has always supported project ownership of secrets. This issue is only related to the "secrets:delete" RBAC policy in Barbican. Ack, thanks for clarifying, Doug. Follow up question, what does it look like to fix the policy in Barbican to resolve this? Are our other policy changes aimed at 16.1.10 going to address this as well or do we have more work to do? This issue has already been fixed upstream https://storyboard.openstack.org/#!/story/2009791 and the patch has been proposed downstream and is currently waiting for reviews. We should not need any further policy changes for this issue, and the fix should be able to be merged on time for 16.1.9. *** Bug 2092879 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenStack Platform 16.1.9 (openstack-barbican) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8874 |