Comment 5 for bug 1895848

Dumping notes from the PTG etherpad here for context:

https://etherpad.opendev.org/p/nova-wallaby-ptg

(lyarwood) Enabling admin only move operations for instances with associated barbican secrets

- https://bugs.launchpad.net/nova/+bug/1895848

- https://docs.openstack.org/barbican/latest/api/reference/acls.html#patch-v1-containers-uuid-acl

- mgoddard: Feel free to ping me for this one, since I raised the bug.

- Q: Should we try to workaround this in code or just document the suggested workaround from the
  bug (using a migrator role who can read secrets) as Cinder does for other issues during the
  initial creation of an encrypted volume by a user:
  https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html#key-
  management-access-control

- there are thing that try to do things with an admin context without a user token
  + resize auto confirm periodic task <- if the guess it running in resize verify this should not
    fail right
  + rebooting instance at compute startup due to resume_guests_state_on_host_boot config

AGREED:

- add a new user to nova conf for barbican

- when nova creates the secret in barbican with the user's token then nova needs to add an ACL so
  that the nova's barbican user can read the token later

- alternative: service user token used in a similar way along side the user admin token

- lyarwood to write up a spec for this in W