inspector does not honor service role, and admin role is locked out

Bug #2049098 reported by Julia Kreger
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic Inspector
Fix Released
High
Julia Kreger

Bug Description

If one enables the oslo_policy settings for enforce_new_defaults, and enforce_scope, ironic-inspector users are functionally locked out unless they have a "system scoped" token.

Which was fine for the very early initial iteration of the OpenStack Secure/Consistent Role Based Access Control model, but since that initial work, the overall community model has changed.

* Admin is admin across the cloud - Originally, this was considered a bug, but now embraced by the wider community as the standard.
* Manager is a newer role, but for scoped "administrative" actions inside of a tenant.
* Service - An addition to the RBAC model after the initial work was done in Ironic and Ironic-inspector to enable a service to connect and authenticate to a service without use of an "admin" credential.

In the case of Inspector, being an "admin-only" service, this means unless someone is very much in the know about OpenStack's RBAC model, they are quickly locked out from using inspector. This also means any tooling which expects everything to just work with a service role or an admin role for cross-service communication would deploy inspector in a configuration, and ironic along side of it, in a state where administrative users *and* ironic will not be able to talk to inspector.

The simplest path is to just do the needful changes, and back port them a couple release to align with other projects.

Changed in ironic-inspector:
assignee: nobody → Julia Kreger (juliaashleykreger)
Revision history for this message
Iury Gregory Melo Ferreira (iurygregory) wrote :

Patch is up but is not merged yet since we have a problem in one job. https://review.opendev.org/c/openstack/ironic-inspector/+/905353

Changed in ironic-inspector:
status: New → Fix Committed
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic-inspector 12.0.0

This issue was fixed in the openstack/ironic-inspector 12.0.0 release.

Changed in ironic-inspector:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic-inspector 11.4.1

This issue was fixed in the openstack/ironic-inspector 11.4.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.