Public bug reported: # Description
Migration and evacuation fails with encrypted volumes, when the user is in a different project to the instance creator, even if they are admin. This is a common use case, since operators typically need to migrate around instances. It also occurs with masakari during failover events. # Steps to reproduce As user 1 in project X: * Enable volume encryption via barbican (https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html) * Create an instance with an encrypted volume As admin user in admin project: * Migrate or evacuate instance created by user 1 # Expected results Instance is migrated successfully. # Actual results Instance fails to migrate. # Environment CentOS 8 Kolla CentOS source containers Train release # Logs We see the following in barbican API logs: Secret retrieval attempt not allowed - please review your user/project privileges: oslo_policy.policy.PolicyNotAuthorized: secret:get is disallowed by policy This is because barbican secrets, in this case the volume encryption key, are scoped to a project. # Workaround I added the following policy.json: { "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator", "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator" } Then assigned the migrating user the key-manager:migrator role in their project. This allows migration and evacuation to succeed. ** Affects: nova Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1895848 Title: Migration and evacuation fails with encrypted volumes Status in OpenStack Compute (nova): New Bug description: # Description Migration and evacuation fails with encrypted volumes, when the user is in a different project to the instance creator, even if they are admin. This is a common use case, since operators typically need to migrate around instances. It also occurs with masakari during failover events. # Steps to reproduce As user 1 in project X: * Enable volume encryption via barbican (https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html) * Create an instance with an encrypted volume As admin user in admin project: * Migrate or evacuate instance created by user 1 # Expected results Instance is migrated successfully. # Actual results Instance fails to migrate. # Environment CentOS 8 Kolla CentOS source containers Train release # Logs We see the following in barbican API logs: Secret retrieval attempt not allowed - please review your user/project privileges: oslo_policy.policy.PolicyNotAuthorized: secret:get is disallowed by policy This is because barbican secrets, in this case the volume encryption key, are scoped to a project. # Workaround I added the following policy.json: { "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator", "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator" } Then assigned the migrating user the key-manager:migrator role in their project. This allows migration and evacuation to succeed. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1895848/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
