Bug 2116906

Summary: creator role not required for secret creation
Product: Red Hat OpenStack Reporter: Jeremy Agee <jagee>
Component: openstack-barbicanAssignee: Douglas Mendizábal <dmendiza>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: alee, dcaspin, dmendiza, dwilde, hrybacki, jschluet, pgrist, spower
Target Milestone: gaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-barbican-12.0.1-0.20220614210403.486e607.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:24:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Agee 2022-08-09 14:12:18 UTC 
Description of problem:
For OSP < 17 the creator role was required for secret creation. Now a user with a member role can create secrets.

Version-Release number of selected component (if applicable):
OSP17

How reproducible:
always

Steps to Reproduce:
openstack --os-cloud overcloud project create --domain default testproject1
openstack --os-cloud overcloud user create --domain default  testuser1_in_project1
openstack --os-cloud overcloud user set --password 12345678 testuser1_in_project1 
openstack --os-cloud overcloud role add --user testuser1_in_project1 --project project1 member
openstack --os-cloud testuser1_in_project1 token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2022-08-09T14:49:53+0000                                                                                                                                                                |
| id         | gAAAAABi8mYBBbNYygtjEalaZxe4d715t5tV97SI14EaTa7XE29l7dOMBuQmF3PZS07LQ3aI16FzLbODq0Tsl-_0K9YkgypH1Bd9uo69PzoyImKuiCL_rY8BB9OhzXY_WiqQJb8x-fUwckbSP9qx2ChE_LyXJfNlwfUcjuFhYPSUQ4feOuNM8wc |
| project_id | 87ea6e5e62fe4191bf03891b4b52108c                                                                                                                                                        |
| user_id    | 29999ae0c14349c681e0d29404a935f7                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

openstack --os-cloud testuser1_in_project1 secret store --name secretCreatedFrom_testuser1_in_project1
+---------------+------------------------------------------------------------------------+
| Field         | Value                                                                  |
+---------------+------------------------------------------------------------------------+
| Secret href   | http://10.0.0.140:9311/v1/secrets/d881a855-2f4d-4333-b6bc-421eebd59ebb |
| Name          | secretCreatedFrom_testuser1_in_project1                                |
| Created       | None                                                                   |
| Status        | None                                                                   |
| Content types | None                                                                   |
| Algorithm     | aes                                                                    |
| Bit length    | 256                                                                    |
| Secret type   | opaque                                                                 |
| Mode          | cbc                                                                    |
| Expiration    | None                                                                   |
+---------------+------------------------------------------------------------------------+

openstack --os-cloud testuser1_in_project1 secret update http://10.0.0.140:9311/v1/secrets/d881a855-2f4d-4333-b6bc-421eebd59ebb 'TestPayload-updated'

Actual results:
a member user can create secrets

Expected results:
creator role should be required when not using SRBAC

Additional info:
Comment 1 spower 2022-08-11 12:17:10 UTC 
Please ensure this bug is properly triaged with acks.
Comment 6 Jon Schlueter 2022-08-25 16:48:47 UTC 
updated external trackers with patches from https://review.opendev.org/q/topic:story%252F2010235 at request of Douglas Mendizábal
Comment 16 errata-xmlrpc 2022-09-21 12:24:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543