Bug 1890785 - [RFE] Implement Secure RBAC Project Scoped Personas within ironic
Summary: [RFE] Implement Secure RBAC Project Scoped Personas within ironic
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-ironic
Version: 17.0 (Wallaby)
Hardware: All
OS: Linux
high
medium
Target Milestone: Alpha
: 17.0
Assignee: Julia Kreger
QA Contact:
URL:
Whiteboard:
Depends On: 1228474 1326391 1801416 1888788 1904499
Blocks: 1381612 1566243 2125342
TreeView+ depends on / blocked
 
Reported: 2020-10-22 20:23 UTC by Harry Rybacki
Modified: 2022-09-21 12:13 UTC (History)
29 users (show)

Fixed In Version: openstack-ironic-17.0.4-0.20210803051805.42ddb40.el8ost openstack-ironic-inspector-10.6.1-0.20210607161808.0d868c6.el8ost
Doc Type: Enhancement
Doc Text:
Clone Of: 1888788
Environment:
Last Closed: 2022-09-21 12:12:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-391 0 None None None 2022-02-04 12:34:24 UTC
Red Hat Issue Tracker RHOSPDOC-827 0 None None None 2022-08-03 10:18:52 UTC
Red Hat Product Errata RHEA-2022:6543 0 None None None 2022-09-21 12:13:05 UTC

Comment 1 Julia Kreger 2020-11-10 21:42:39 UTC 
Greetings,

Could we get some clarity as to what is actually required/expected. A baremetal_observer role is already available as the "observer" or "baremetal_observer" role if granted, and "baremetal_admin" for administrator usage. I guess what this ultimately means is this is a rather confusing BZ at this time, Any clarity you can provide would be much appreciated.
Comment 4 Julia Kreger 2021-03-18 19:28:22 UTC 
A huge series of patches have almost merged upstream. One or two minor patches in final sequence for the service. All patches have the "secure-rbac" topic upstream against the ironic and ironic-inspector repository.
Comment 13 Julia Kreger 2021-08-23 17:30:38 UTC 
Moving to modified state as the work has been completed in Ironic and Ironic Inpsector.

In terms of ironic-inspector, and specifically project scoped personas, such access is out of scope for Inspector as it is a system service for data collection. Workflows *are* possible where ironic can be asked directly to trigger inspection, should someone still need introspection to occur, but again, that pattern is out of scope of it's use and unlikely to ever be supported given the operational role and position in any hardware interaction workflow.
Comment 23 errata-xmlrpc 2022-09-21 12:12:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Note You need to log in before you can comment on or make changes to this bug.