Description of problem: For OSP < 17 the creator role was required for secret creation. Now a user with a member role can create secrets. Version-Release number of selected component (if applicable): OSP17 How reproducible: always Steps to Reproduce: openstack --os-cloud overcloud project create --domain default testproject1 openstack --os-cloud overcloud user create --domain default testuser1_in_project1 openstack --os-cloud overcloud user set --password 12345678 testuser1_in_project1 openstack --os-cloud overcloud role add --user testuser1_in_project1 --project project1 member openstack --os-cloud testuser1_in_project1 token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-08-09T14:49:53+0000 | | id | gAAAAABi8mYBBbNYygtjEalaZxe4d715t5tV97SI14EaTa7XE29l7dOMBuQmF3PZS07LQ3aI16FzLbODq0Tsl-_0K9YkgypH1Bd9uo69PzoyImKuiCL_rY8BB9OhzXY_WiqQJb8x-fUwckbSP9qx2ChE_LyXJfNlwfUcjuFhYPSUQ4feOuNM8wc | | project_id | 87ea6e5e62fe4191bf03891b4b52108c | | user_id | 29999ae0c14349c681e0d29404a935f7 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ openstack --os-cloud testuser1_in_project1 secret store --name secretCreatedFrom_testuser1_in_project1 +---------------+------------------------------------------------------------------------+ | Field | Value | +---------------+------------------------------------------------------------------------+ | Secret href | http://10.0.0.140:9311/v1/secrets/d881a855-2f4d-4333-b6bc-421eebd59ebb | | Name | secretCreatedFrom_testuser1_in_project1 | | Created | None | | Status | None | | Content types | None | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+------------------------------------------------------------------------+ openstack --os-cloud testuser1_in_project1 secret update http://10.0.0.140:9311/v1/secrets/d881a855-2f4d-4333-b6bc-421eebd59ebb 'TestPayload-updated' Actual results: a member user can create secrets Expected results: creator role should be required when not using SRBAC Additional info:
Please ensure this bug is properly triaged with acks.
updated external trackers with patches from https://review.opendev.org/q/topic:story%252F2010235 at request of Douglas Mendizábal
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543