[barbican] Encrypted volume evacuation fails during Masakari HA process due to insufficient permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
In Progress
|
Undecided
|
Unassigned | ||
masakari |
New
|
Undecided
|
Unassigned | ||
openstack-helm |
New
|
Undecided
|
Unassigned |
Bug Description
During host failure, Masakari's evacuation process fails when handling encrypted volumes due to permission issues with Barbican. The current policy requires both admin role and project membership, which prevents Masakari from properly accessing encryption keys during the HA process.
## Current Behavior
1. When host failure occurs:
- Masakari detects the failure and initiates evacuation
- For VMs with encrypted volumes, evacuation fails
- Error occurs while attempting to access encryption keys from Barbican
- Process fails due to project membership requirement
2. Error messages show:
- Permission denied accessing Barbican secrets
- Unable to decrypt volume during evacuation
- HA process incomplete for encrypted volumes
## Impact
- HA process fails for VMs with encrypted volumes
- Service availability compromised
- Recovery process blocked
- Manual intervention required
## Root Cause
1. Policy Restrictions:
- Barbican requires project membership for key access
- Masakari service runs independently of projects
- No dedicated role exists for HA services
2. Current Policy Limitations:
"secret:decrypt": "role:admin and project_
"secret:get": "role:admin and project_
Fix proposed to branch: master /review. opendev. org/c/openstack /barbican/ +/934940
Review: https:/