Octavia default policy requires tenants to hold roles for access to the API

Bug #1813602 reported by Frode Nordahl on 2019-01-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Charms Deployment Guide
Low
Frode Nordahl
OpenStack Octavia Charm
Low
Frode Nordahl
charm-interface-keystone
Low
Frode Nordahl

Bug Description

As laid out in the upstream documentation [0] non-admin access to the load-balancer API requires role membership.

These roles should be created at charm deployment time.

0: https://docs.openstack.org/octavia/latest/configuration/policy.html

Frode Nordahl (fnordahl) on 2019-01-28
Changed in charm-interface-keystone:
status: New → Triaged
importance: Undecided → Low
Changed in charm-octavia:
status: New → Triaged
importance: Undecided → Low
Changed in charm-deployment-guide:
status: New → Triaged
importance: Undecided → Low
Frode Nordahl (fnordahl) wrote :
Changed in charm-deployment-guide:
assignee: nobody → Frode Nordahl (fnordahl)
Changed in charm-octavia:
assignee: nobody → Frode Nordahl (fnordahl)
Changed in charm-interface-keystone:
assignee: nobody → Frode Nordahl (fnordahl)
Frode Nordahl (fnordahl) on 2019-01-28
Changed in charm-deployment-guide:
status: Triaged → In Progress
Changed in charm-octavia:
status: Triaged → In Progress
Changed in charm-interface-keystone:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/633532
Committed: https://git.openstack.org/cgit/openstack/charm-interface-keystone/commit/?id=0ec113afb7a553e6065b60ea8e9d6ac3ea4b2241
Submitter: Zuul
Branch: master

commit 0ec113afb7a553e6065b60ea8e9d6ac3ea4b2241
Author: Frode Nordahl <email address hidden>
Date: Mon Jan 28 16:39:57 2019 +0100

    Add support for passing optional ``requested_roles`` attribute

    When passing ``requested_roles`` down the ``identity-service``
    relation the Keystone charm will create the listed roles for you.

    Useful for charm authors implementing charms with specific role
    requirements.

    Change-Id: I7c1eedb1e78ffc53ac3e0df81f6b52358dd8dfa5
    Closes-Bug: #1813602

Changed in charm-interface-keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/633540
Committed: https://git.openstack.org/cgit/openstack/charm-octavia/commit/?id=f06a3fc78feb8f354f0a6f0b86e0d12f580b0e16
Submitter: Zuul
Branch: master

commit f06a3fc78feb8f354f0a6f0b86e0d12f580b0e16
Author: Frode Nordahl <email address hidden>
Date: Mon Jan 28 16:54:43 2019 +0100

    Request roles from Keystone on endpoint registration

    Change-Id: Ic876a09b046a49b7dedc5e41f831eabd73bb0cde
    Closes-Bug: #1813602
    Depends-On: https://review.openstack.org/#/c/633532/

Changed in charm-octavia:
status: In Progress → Fix Committed
Changed in charm-deployment-guide:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/633541
Committed: https://git.openstack.org/cgit/openstack/charm-deployment-guide/commit/?id=30a683f20a9881f8f4a43c19681b6c6d399e3e08
Submitter: Zuul
Branch: master

commit 30a683f20a9881f8f4a43c19681b6c6d399e3e08
Author: Frode Nordahl <email address hidden>
Date: Mon Jan 28 17:02:19 2019 +0100

    Add paragraph about Octavia Policies and end user API access

    Change-Id: I214c22ceda5fdc16ac8e8d1bb71c4709faff41f0
    Closes-Bug: #1813602

James Page (james-page) on 2019-04-17
Changed in charm-octavia:
milestone: none → 19.04
David Ames (thedac) on 2019-04-17
Changed in charm-octavia:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers