Bug 2231080

Summary: [OSP16.2] Barbican Creator role capabilities should be updated/fix on Documentation
Product: Red Hat OpenStack Reporter: Ricardo Ramos Thomas <riramos>
Component: documentationAssignee: Roger Heslop <rheslop>
Status: ASSIGNED --- QA Contact: RHOS Documentation Team <rhos-docs>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.2 (Train)CC: dmendiza, jveiraca, rheslop
Target Milestone: ---Keywords: Documentation, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ricardo Ramos Thomas 2023-08-10 13:45:59 UTC 
Description of problem:

In our doc says the following [1]:

The policy.yaml.sample file you generated describes the policies used by barbican. The policy is implemented by four different roles that define how a user interacts with secrets and secret metadata. A user receives these permissions by being assigned to a particular role:


admin - Can delete, create/edit, and read secrets.
creator - Can create/edit, and read secrets. Can not delete secrets.
observer - Can only read data.
audit - Can only read metadata. Can not read secrets.


but looks like the creator role can delete secrets owned by project, like upstream and CU can confirm:

- https://docs.openstack.org/barbican/latest/admin/access_control.html

- https://storyboard.openstack.org/#!/story/2009791

~~~
creator
Users with this role are allowed to create new resources and can also delete resources which are owned by the project for which the creator role is scoped. They are also allowed full access to existing secrets owned by the project in scope."
~~~

Looks like the upstream change to the creator role was part of openstack-barbican 9.0.2-2.20220607193627.d632bba and newer for 16.2


So looks like this is a expected behavior  and our doc is wrong.



Version-Release number of selected component (if applicable):

RHOSP 16.2.x (Train) 

How reproducible:


Steps to Reproduce:
1.does not apply
2.
3.

Actual results:

Red Hat 16.2 Documentation have the wrong  capabilities explain for Creator Role

Expected results:

Right explanation about the Role on Red Hat Documentation. 

Additional info:


-sosreport are available