Enable secure RBAC for/in Cinder when deploying via TripleO https://etherpad.opendev.org/p/policy-popup-xena-ptg
The approach to be taken for OSP-17 will use a policy override file generated via THT's CinderApiPolicies parameter.
Patch on stable/wallaby has already been imported into rhos-17.0-trunk-patches, so just waiting for an updated compose.
*** Bug 1326396 has been marked as a duplicate of this bug. ***
Verified on: openstack-tripleo-heat-templates-14.3.1-0.20220628111342.7c969c5.el9ost.noarch Added srbac yaml to my overcloud_deploy.sh: /usr/share/openstack-tripleo-heat-templates/environments/enable-secure-rbac.yaml The expected policy.yaml shows up under Cinder's config dir: [root@controller-2 ~]# cd /var/lib/config-data/puppet-generated/cinder/etc/cinder/ [root@controller-2 cinder]# ll total 204 -rw-r-----. 1 root 42407 194748 Jul 5 20:14 cinder.conf -rw-r-----. 1 root 42407 9652 Jul 5 20:14 policy.yaml [root@controller-2 cinder]# head policy.yaml 'admin_api': 'is_admin:True or (role:admin and is_admin_project:True)' 'admin_or_owner': 'is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s' 'backup:backup-import': 'rule:admin_api' 'backup:backup_project_attribute': 'rule:admin_api' 'backup:create': 'rule:system_admin_or_project_member' 'backup:delete': 'rule:system_admin_or_project_member' 'backup:export-import': 'rule:admin_api' 'backup:get': 'rule:system_admin_or_project_reader' 'backup:get_all': 'rule:system_admin_or_project_reader' 'backup:restore': 'rule:system_admin_or_project_member' ... .. As far as getting the tripleo/deployment part of secure RBAC for Cinder we're good to verify.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543