Ironic - lack of support for new RBAC policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
High
|
Bartosz Bezak |
Bug Description
Ironic enforced new RBAC policy by default - https:/
Kolla Ansible doesn't support it yet - nova-compute-ironic service user is a service project scoped with admin role which can't see baremetal nodes provisioned by tenks in admin project - https:/
Possible long term solution would be to add service role to ironic service user, however it is still in the works - https:/
previous attempt to add service role:
https:/
Changed in kolla-ansible: | |
status: | New → In Progress |
Changed in kolla-ansible: | |
assignee: | nobody → Bartosz Bezak (bbezak) |
importance: | Undecided → High |
Reviewed: https:/ /review. opendev. org/c/openstack /kolla- ansible/ +/906858 /opendev. org/openstack/ kolla-ansible/ commit/ d77372e86ab0787 11d48dbe2917714 f338842ca5
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit d77372e86ab0787 11d48dbe2917714 f338842ca5
Author: Bartosz Bezak <email address hidden>
Date: Fri Jan 26 16:46:14 2024 +0100
Disable new defaults and scope for Ironic (RBAC)
Ironic started enforcing new RBAC policies [1]. Kolla/Kayobe
CI jobs are failing, as K-A doesn't have service role support.
Moreover Ironic RBAC is not yet stable enough [2].
Disable enforcing new policies until fix merges and Kolla
Ansible service role support is added.
[1] https:/ /review. opendev. org/c/openstack /ironic/ +/902009 /review. opendev. org/c/openstack /ironic/ +/907148
[2] https:/
Related-Bug: #2051837
Change-Id: I424cff6ac96dfe 0dd5dc58afca2b7 85f494c9f02