Comment 0 for bug 1953056

Brief Description
-----------------

There should be a warning on RBAC Enhanced Policies to let the user the overrides should be applied together, and using them separately may cause issues.

It's

Severity
--------
Minor

Description
--------

The documentation about the RBAC Enhanced Policies (https://docs.starlingx.io/system_configuration/openstack/enhanced-rbac-policies.html) may not be clear enough to let the user know that they should not be applied separately, i.e some of the rules present in a policy from one service might depend on other services to work. For example, both the nova and cinder overrides must be applied in order to detach a volume from an instance, but a user may think that just the cinder is necessary because of the "volume:attachment_delete: rule:admin_or_projectmember_owner" rule present on cinder-override.yml.

https://docs.starlingx.io/system_configuration/openstack/enhanced-rbac-policies.html

--------

Perhaps it would make sense to do something like:

About this task

The standard OpenStack RBAC roles and policies can be enhanced by updating policy configuration in individual OpenStack Services’ Helm charts. StarlingX provides an optional set of updated policy configurations for Nova, Neutron, Glance, Cinder, Keystone and Horizon services that introduce two new roles (‘project_admin’ and ‘project_readonly’) and modify the capabilities of the default ‘member’ role. A high-level summary of the new roles’ capabilities and the modified ‘default’ role capabilities are in the following table; a detailed description is provided at end of page.
>> It's important that all the overrides files get applied, some of the rules present in a policy from one service might depend on other services to work (e.g. nova commands might depend on glance/cinder/neutron permissions). They should not be used separately." <<