Bug 1956280 - [RFE] Deploy secure RBAC for Cinder via TripleO
Summary: [RFE] Deploy secure RBAC for Cinder via TripleO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: beta
: 17.0
Assignee: Alan Bishop
QA Contact: Joe H. Rahme
URL:
Whiteboard:
Depends On: 1326396
Blocks: 1381612
TreeView+ depends on / blocked
 
Reported: 2021-05-03 11:39 UTC by Giulio Fidente
Modified: 2024-03-25 18:15 UTC (History)
8 users (show)

Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20220317195120.4b13772
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-21 12:14:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 818634 0 None MERGED Implement project personas in custom cinder policy file 2021-12-24 05:27:49 UTC
Red Hat Issue Tracker OSP-3541 0 None None None 2021-11-22 22:01:51 UTC
Red Hat Product Errata RHEA-2022:6543 0 None None None 2022-09-21 12:15:25 UTC

Description Giulio Fidente 2021-05-03 11:39:51 UTC 
Enable secure RBAC for/in Cinder when deploying via TripleO

https://etherpad.opendev.org/p/policy-popup-xena-ptg
Comment 2 Alan Bishop 2021-10-08 17:46:19 UTC 
The approach to be taken for OSP-17 will use a policy override file generated via THT's CinderApiPolicies parameter.
Comment 3 Alan Bishop 2022-01-04 19:23:40 UTC 
Patch on stable/wallaby has already been imported into rhos-17.0-trunk-patches, so just waiting for an updated compose.
Comment 5 Brian Rosmaita 2022-05-31 13:28:18 UTC 
*** Bug 1326396 has been marked as a duplicate of this bug. ***
Comment 6 Tzach Shefi 2022-07-21 06:26:30 UTC 
Verified on:
openstack-tripleo-heat-templates-14.3.1-0.20220628111342.7c969c5.el9ost.noarch

Added srbac yaml to my overcloud_deploy.sh:
/usr/share/openstack-tripleo-heat-templates/environments/enable-secure-rbac.yaml 

The expected policy.yaml shows up under Cinder's config dir:

[root@controller-2 ~]# cd /var/lib/config-data/puppet-generated/cinder/etc/cinder/
[root@controller-2 cinder]# ll
total 204
-rw-r-----. 1 root 42407 194748 Jul  5 20:14 cinder.conf
-rw-r-----. 1 root 42407   9652 Jul  5 20:14 policy.yaml


[root@controller-2 cinder]# head policy.yaml 
'admin_api': 'is_admin:True or (role:admin and is_admin_project:True)'
'admin_or_owner': 'is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s'
'backup:backup-import': 'rule:admin_api'
'backup:backup_project_attribute': 'rule:admin_api'
'backup:create': 'rule:system_admin_or_project_member'
'backup:delete': 'rule:system_admin_or_project_member'
'backup:export-import': 'rule:admin_api'
'backup:get': 'rule:system_admin_or_project_reader'
'backup:get_all': 'rule:system_admin_or_project_reader'
'backup:restore': 'rule:system_admin_or_project_member'
...
..

As far as getting the tripleo/deployment part of secure RBAC for Cinder we're good to verify.
Comment 15 errata-xmlrpc 2022-09-21 12:14:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Note You need to log in before you can comment on or make changes to this bug.