1566724 – Define creator role by default when deploying with Barbican

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1566724 - Define creator role by default when deploying with Barbican

Summary: Define creator role by default when deploying with Barbican

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-tripleo
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	beta
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	RHOS Maint
QA Contact:	David Rosenfeld
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1565039 1664428 1664429
TreeView+	depends on / blocked

Reported:	2018-04-12 21:09 UTC by Ade Lee
Modified:	2020-07-29 07:50 UTC (History)
CC List:	14 users (show)
Fixed In Version:	puppet-tripleo-11.5.0-0.20200605073426.2a2deaa.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1664428 (view as bug list)
Environment:
Last Closed:	2020-07-29 07:49:26 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1812209	None	None	None	2019-01-17 12:44:51 UTC
OpenStack gerrit	631477	None	MERGED	Create barbican's creator role by default	2021-01-22 17:21:47 UTC
Red Hat Product Errata	RHBA-2020:3148	None	None	None	2020-07-29 07:50:42 UTC

Description Ade Lee 2018-04-12 21:09:51 UTC

Description of problem:

The creator role is required for users to store secrets in Barbican.  See 

https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/manage_secrets_with_openstack_key_manager/#install_barbican

It would be better to create this role and associate users with this role by default.  

In addition, it may be possible to retrofit existing users with this role.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Alan Bishop 2018-04-12 21:17:36 UTC

Cinder provides a mechanism for migrating encryption keys creating using the legacy ConfKeyManager to Barbican. In order to do that, the cinder service itself needs the creator role. If that role will be automatically added to users then it would be helpful if it could also be added to cinder's service user.

Comment 11 Nathan Kinder 2019-01-08 18:12:57 UTC

After some discussion, we believe the proper thing to do is to define the creator role by default for a TripleO deployment with Barbican, but we don't want to automatically assume that users should get the "creator" role.  The assignment of this role should be left up to the operator, but we need to at least create the role within keystone at deployment time.  This should be considered a usability bug as opposed to a RFE.

Comment 20 errata-xmlrpc 2020-07-29 07:49:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3148

Note You need to log in before you can comment on or make changes to this bug.