Bug 2231080 - [OSP16.2] Barbican Creator role capabilities should be updated/fix on Documentation
Summary: [OSP16.2] Barbican Creator role capabilities should be updated/fix on Documen...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Roger Heslop
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-10 13:45 UTC by Ricardo Ramos Thomas
Modified: 2023-08-15 15:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-27414 0 None None None 2023-08-10 13:47:48 UTC

Description Ricardo Ramos Thomas 2023-08-10 13:45:59 UTC
Description of problem:

In our doc says the following [1]:

The policy.yaml.sample file you generated describes the policies used by barbican. The policy is implemented by four different roles that define how a user interacts with secrets and secret metadata. A user receives these permissions by being assigned to a particular role:


admin - Can delete, create/edit, and read secrets.
creator - Can create/edit, and read secrets. Can not delete secrets.
observer - Can only read data.
audit - Can only read metadata. Can not read secrets.


but looks like the creator role can delete secrets owned by project, like upstream and CU can confirm:

- https://docs.openstack.org/barbican/latest/admin/access_control.html

- https://storyboard.openstack.org/#!/story/2009791

~~~
creator
Users with this role are allowed to create new resources and can also delete resources which are owned by the project for which the creator role is scoped. They are also allowed full access to existing secrets owned by the project in scope."
~~~

Looks like the upstream change to the creator role was part of openstack-barbican 9.0.2-2.20220607193627.d632bba and newer for 16.2


So looks like this is a expected behavior  and our doc is wrong.



Version-Release number of selected component (if applicable):

RHOSP 16.2.x (Train) 

How reproducible:


Steps to Reproduce:
1.does not apply
2.
3.

Actual results:

Red Hat 16.2 Documentation have the wrong  capabilities explain for Creator Role

Expected results:

Right explanation about the Role on Red Hat Documentation. 

Additional info:


-sosreport are available


Note You need to log in before you can comment on or make changes to this bug.