[barbican] Encrypted volume evacuation fails during Masakari HA process due to insufficient permissions

Bug #2087915 reported by DongHun, Kim
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
In Progress
Undecided
Unassigned
masakari
New
Undecided
Unassigned
openstack-helm
New
Undecided
Unassigned

Bug Description

During host failure, Masakari's evacuation process fails when handling encrypted volumes due to permission issues with Barbican. The current policy requires both admin role and project membership, which prevents Masakari from properly accessing encryption keys during the HA process.

## Current Behavior
1. When host failure occurs:
   - Masakari detects the failure and initiates evacuation
   - For VMs with encrypted volumes, evacuation fails
   - Error occurs while attempting to access encryption keys from Barbican
   - Process fails due to project membership requirement

2. Error messages show:
   - Permission denied accessing Barbican secrets
   - Unable to decrypt volume during evacuation
   - HA process incomplete for encrypted volumes

## Impact
- HA process fails for VMs with encrypted volumes
- Service availability compromised
- Recovery process blocked
- Manual intervention required

## Root Cause
1. Policy Restrictions:
   - Barbican requires project membership for key access
   - Masakari service runs independently of projects
   - No dedicated role exists for HA services

2. Current Policy Limitations:
"secret:decrypt": "role:admin and project_id:%(project_id)s"
"secret:get": "role:admin and project_id:%(project_id)s"

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/barbican/+/934940

Changed in barbican:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.