LBaaS user needs permissions to POST consumers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Barbican |
Fix Released
|
High
|
Pankaj Khandar | |
| octavia |
Confirmed
|
High
|
Unassigned |
Bug Description
The ACL read access list was added in part for the LBaaS user to read the containers and secrets it needs, which needing to have an admin role in the secret's project.
Unfortunately, an LBaaS user also needs to be able to POST a consumer.
Permission for this should also be available via the read ACL.
LBaaS Code Calling POST Consumer:
tags: | added: liberty-backport-potential |
Changed in barbican: | |
assignee: | nobody → Adam Harwell (adam-harwell) |
status: | New → In Progress |
Changed in barbican: | |
assignee: | Adam Harwell (adam-harwell) → Pankaj Khandar (pankaj-khandar) |
Jiahao liang (jiahao.liang) wrote : | #2 |
Hi all,
How's the progress for this bug?
It seems like the bug I reported https:/
Do any of you mind check out the bug I reported? Thanks a lot.
Changed in barbican: | |
assignee: | Pankaj Khandar (pankaj-khandar) → nobody |
status: | In Progress → Confirmed |
Pankaj Khandar (pankaj-khandar) wrote : | #3 |
Sorry Folks, I am stuck into some other priorities right now.
Praveen Yalagandula (ypraveen-5) wrote : | #4 |
I ran into the same bug as Jiahao, but on liberty stable devstack: https:/
Is there any temporary workaround until this is fixed?
Changed in octavia: | |
status: | New → Confirmed |
Teri Lu (lujsh-e) wrote : | #5 |
Hi All,
Anyone is working on this bug?
Changed in barbican: | |
importance: | Undecided → High |
Changed in octavia: | |
importance: | Undecided → High |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 38ecf5b51fef129
Author: Pan <email address hidden>
Date: Thu Aug 25 12:56:07 2016 -0400
Remove consumer check for project_id to match containers
I believe this is the correct behavior, as it would match how
containers handles these operations. This change facilitates
the LBaaS Barbican TLS workflow (which should be the same as
what other services will use in the future too).
The RBAC settings for consumer POST should be set to
use the same ACL rules as container GET (plus admin).
The RBAC settings for consumer DELETE should be:
* Any user with Delete permissions on the Container
* Any user that both: has ACL Read access to the Container; is a member
of the project that created the Consumer being deleted
Change-Id: Ie8478457389393
Closes-Bug: #1519170
Changed in barbican: | |
status: | Confirmed → Fix Released |
Pankaj Khandar (pankaj-khandar) wrote : | #7 |
You will also need this
https:/
Changed in barbican: | |
assignee: | nobody → Pankaj Khandar (pankaj-khandar) |
This issue was fixed in the openstack/barbican 3.0.0.0rc1 release candidate.
This issue was fixed in the openstack/barbican 3.0.0 release.
Fix proposed to branch: master /review. openstack. org/251168
Review: https:/