I guess this comment chain is the culprit:
https://review.opendev.org/c/openstack/kolla-ansible/+/882893/comments/bb24d1f0_252d8b74
to quote it:
myself:
> question, mainly for mnasiadka:
> should we add the cinder patch to all other services in this patch also?
> That would mean validating service tokens for every service.
> We could maybe also argue to split this work up in a second/more changesets.
> I have a slight preference to split this up to not let this security bugfix wait for much longer.
> What do you think?
mnasiadika:
> I think we should split the rest, it doesn't seem to be required now.
then in patchset 4:
https://review.opendev.org/c/openstack/kolla-ansible/+/882893/3..4/ansible/roles/cinder/templates/cinder.conf.j2
we have:
``` # TODO(mnasiadka): Work out if that's the desired approach or should we add service role to nova user service_token_roles = admin
then in patchset 6 the comment got removed:
https://review.opendev.org/c/openstack/kolla-ansible/+/882893/5..6/ansible/roles/cinder/templates/cinder.conf.j2
I didn't comment on that because I thought mnasiadka did indeed had checked that this was necessary. ```
I guess this comment chain is the culprit:
https:/ /review. opendev. org/c/openstack /kolla- ansible/ +/882893/ comments/ bb24d1f0_ 252d8b74
to quote it:
myself:
> question, mainly for mnasiadka:
> should we add the cinder patch to all other services in this patch also?
> That would mean validating service tokens for every service.
> We could maybe also argue to split this work up in a second/more changesets.
> I have a slight preference to split this up to not let this security bugfix wait for much longer.
> What do you think?
mnasiadika:
> I think we should split the rest, it doesn't seem to be required now.
then in patchset 4:
https:/ /review. opendev. org/c/openstack /kolla- ansible/ +/882893/ 3..4/ansible/ roles/cinder/ templates/ cinder. conf.j2
we have:
```
# TODO(mnasiadka): Work out if that's the desired approach or should we add service role to nova user
service_token_roles = admin
then in patchset 6 the comment got removed:
https:/ /review. opendev. org/c/openstack /kolla- ansible/ +/882893/ 5..6/ansible/ roles/cinder/ templates/ cinder. conf.j2
I didn't comment on that because I thought mnasiadka did indeed had checked that this was necessary.
```