Description of problem: The creator role is required for users to store secrets in Barbican. See https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/manage_secrets_with_openstack_key_manager/#install_barbican It would be better to create this role and associate users with this role by default. In addition, it may be possible to retrofit existing users with this role. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Cinder provides a mechanism for migrating encryption keys creating using the legacy ConfKeyManager to Barbican. In order to do that, the cinder service itself needs the creator role. If that role will be automatically added to users then it would be helpful if it could also be added to cinder's service user.
After some discussion, we believe the proper thing to do is to define the creator role by default for a TripleO deployment with Barbican, but we don't want to automatically assume that users should get the "creator" role. The assignment of this role should be left up to the operator, but we need to at least create the role within keystone at deployment time. This should be considered a usability bug as opposed to a RFE.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3148