2026029 – Support of project owned keys

Bug 2026029 - Support of project owned keys

Summary: Support of project owned keys

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-barbican
Sub Component:
Version:	16.1 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	z9
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Douglas Mendizábal
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2092879 (view as bug list)
Depends On:
Blocks:	2118620
TreeView+	depends on / blocked

Reported:	2021-11-23 16:51 UTC by Luigi Tamagnone
Modified:	2023-02-16 12:43 UTC (History)
CC List:	18 users (show)
Fixed In Version:	openstack-barbican-9.0.1-1.20220617163753.07be198.el8ost
Doc Type:	Bug Fix
Doc Text:	Before this update, the secret:delete policy in the Key Manager service (barbican) only allowed users with the Creator role to delete a secret if they were the same user that created the secret. This limitation impacted encrypted workflows because of the mismatch in policy, for example, the Block Storage service (cinder) allows users with a role assignment on the project to delete encrypted volumes. However, the Key Manager service responded with an authorization error because not all users were allowed to delete the secret. With this update, the secret:delete policy in the Key Manager service has been changed to allow users with the Creator role to delete any secret that belongs to the project, not just the ones that they created. All users allowed to delete a Block Storage service encrypted volume are also allowed to delete the associated secret.
Clone Of:
Clones:	2118620 (view as bug list)
Environment:
Last Closed:	2022-12-07 20:30:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack Storyboard	2009791	None	None	None	2022-05-18 22:26:11 UTC
OpenStack gerrit	833563	None	MERGED	Allow secret delete by users with "creator" role	2022-06-06 14:45:42 UTC
Red Hat Issue Tracker	OSP-11016	None	None	None	2021-11-23 16:53:06 UTC
Red Hat Product Errata	RHSA-2022:8874	None	None	None	2022-12-07 20:30:28 UTC

Description Luigi Tamagnone 2021-11-23 16:51:44 UTC

Description of problem:
When a user is not present anymore in a project it's not possible to do activity on instances with the encrypted volume created by the old user, like resize.

A solution could be like having a secret owned by the project on not by a single user.

Version-Release number of selected component (if applicable):
Red Hat OpenStack 16.1 (RHOSP16)

Steps to Reproduce:
1. Create an instance from with an encrypted volume. 
2. delete the user
3. try to resize the instance with another user in the project

Actual results:
The resize of the instance failed with:
Exception during message handling: castellan.common.exception.KeyManagerError: Key manager error: Forbidden: Secret retrieval attempt not allowed - please review your user/project privileges

Expected results:
It should be a way to resize the instance.

Comment 9 Harry Rybacki 2022-06-17 14:40:32 UTC

Doug, would this be considered an RFE? I'm not sure if this is by design or not.

Comment 10 Douglas Mendizábal 2022-06-17 15:13:17 UTC

I consider this a bug because the mismatch in policy between Barbican and Cinder breaks some volume workflows.  The title and description of this BZ make it seem like an RFE, but that's because this BZ assumes that secrets are not currently owned by a project, which is incorrect.  Barbican has always supported project ownership of secrets.  This issue is only related to the "secrets:delete" RBAC policy in Barbican.

Comment 11 Harry Rybacki 2022-06-17 15:23:17 UTC

Ack, thanks for clarifying, Doug. Follow up question, what does it look like to fix the policy in Barbican to resolve this? Are our other policy changes aimed at 16.1.10 going to address this as well or do we have more work to do?

Comment 12 Douglas Mendizábal 2022-06-17 15:35:34 UTC

This issue has already been fixed upstream https://storyboard.openstack.org/#!/story/2009791 and the patch has been proposed downstream and is currently waiting for reviews. We should not need any further policy changes for this issue, and the fix should be able to be merged on time for 16.1.9.

Comment 14 Douglas Mendizábal 2022-06-23 15:39:16 UTC

*** Bug 2092879 has been marked as a duplicate of this bug. ***

Comment 32 errata-xmlrpc 2022-12-07 20:30:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack Platform 16.1.9 (openstack-barbican) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8874

Note You need to log in before you can comment on or make changes to this bug.