inspector does not honor service role, and admin role is locked out
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic Inspector |
Fix Released
|
High
|
Julia Kreger |
Bug Description
If one enables the oslo_policy settings for enforce_
Which was fine for the very early initial iteration of the OpenStack Secure/Consistent Role Based Access Control model, but since that initial work, the overall community model has changed.
* Admin is admin across the cloud - Originally, this was considered a bug, but now embraced by the wider community as the standard.
* Manager is a newer role, but for scoped "administrative" actions inside of a tenant.
* Service - An addition to the RBAC model after the initial work was done in Ironic and Ironic-inspector to enable a service to connect and authenticate to a service without use of an "admin" credential.
In the case of Inspector, being an "admin-only" service, this means unless someone is very much in the know about OpenStack's RBAC model, they are quickly locked out from using inspector. This also means any tooling which expects everything to just work with a service role or an admin role for cross-service communication would deploy inspector in a configuration, and ironic along side of it, in a state where administrative users *and* ironic will not be able to talk to inspector.
The simplest path is to just do the needful changes, and back port them a couple release to align with other projects.
Changed in ironic-inspector: | |
assignee: | nobody → Julia Kreger (juliaashleykreger) |
Changed in ironic-inspector: | |
status: | Fix Committed → Fix Released |
Patch is up but is not merged yet since we have a problem in one job. https:/ /review. opendev. org/c/openstack /ironic- inspector/ +/905353