- there are thing that try to do things with an admin context without a user token
+ resize auto confirm periodic task <- if the guess it running in resize verify this should not
fail right
+ rebooting instance at compute startup due to resume_guests_state_on_host_boot config
AGREED:
- add a new user to nova conf for barbican
- when nova creates the secret in barbican with the user's token then nova needs to add an ACL so
that the nova's barbican user can read the token later
- alternative: service user token used in a similar way along side the user admin token
Dumping notes from the PTG etherpad here for context:
https:/ /etherpad. opendev. org/p/nova- wallaby- ptg
(lyarwood) Enabling admin only move operations for instances with associated barbican secrets
- https:/ /bugs.launchpad .net/nova/ +bug/1895848
- https:/ /docs.openstack .org/barbican/ latest/ api/reference/ acls.html# patch-v1- containers- uuid-acl
- mgoddard: Feel free to ping me for this one, since I raised the bug.
- Q: Should we try to workaround this in code or just document the suggested workaround from the /docs.openstack .org/cinder/ latest/ configuration/ block-storage/ volume- encryption. html#key- access- control
bug (using a migrator role who can read secrets) as Cinder does for other issues during the
initial creation of an encrypted volume by a user:
https:/
management-
- there are thing that try to do things with an admin context without a user token guests_ state_on_ host_boot config
+ resize auto confirm periodic task <- if the guess it running in resize verify this should not
fail right
+ rebooting instance at compute startup due to resume_
AGREED:
- add a new user to nova conf for barbican
- when nova creates the secret in barbican with the user's token then nova needs to add an ACL so
that the nova's barbican user can read the token later
- alternative: service user token used in a similar way along side the user admin token
- lyarwood to write up a spec for this in W