yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83904
[Bug 1895848] [NEW] Migration and evacuation fails with encrypted volumes
Public bug reported:
# Description
Migration and evacuation fails with encrypted volumes, when the user is
in a different project to the instance creator, even if they are admin.
This is a common use case, since operators typically need to migrate
around instances. It also occurs with masakari during failover events.
# Steps to reproduce
As user 1 in project X:
* Enable volume encryption via barbican (https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html)
* Create an instance with an encrypted volume
As admin user in admin project:
* Migrate or evacuate instance created by user 1
# Expected results
Instance is migrated successfully.
# Actual results
Instance fails to migrate.
# Environment
CentOS 8
Kolla CentOS source containers
Train release
# Logs
We see the following in barbican API logs:
Secret retrieval attempt not allowed - please review your user/project
privileges: oslo_policy.policy.PolicyNotAuthorized: secret:get is
disallowed by policy
This is because barbican secrets, in this case the volume encryption
key, are scoped to a project.
# Workaround
I added the following policy.json:
{
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator",
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator"
}
Then assigned the migrating user the key-manager:migrator role in their
project. This allows migration and evacuation to succeed.
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1895848
Title:
Migration and evacuation fails with encrypted volumes
Status in OpenStack Compute (nova):
New
Bug description:
# Description
Migration and evacuation fails with encrypted volumes, when the user
is in a different project to the instance creator, even if they are
admin. This is a common use case, since operators typically need to
migrate around instances. It also occurs with masakari during failover
events.
# Steps to reproduce
As user 1 in project X:
* Enable volume encryption via barbican (https://docs.openstack.org/cinder/latest/configuration/block-storage/volume-encryption.html)
* Create an instance with an encrypted volume
As admin user in admin project:
* Migrate or evacuate instance created by user 1
# Expected results
Instance is migrated successfully.
# Actual results
Instance fails to migrate.
# Environment
CentOS 8
Kolla CentOS source containers
Train release
# Logs
We see the following in barbican API logs:
Secret retrieval attempt not allowed - please review your user/project
privileges: oslo_policy.policy.PolicyNotAuthorized: secret:get is
disallowed by policy
This is because barbican secrets, in this case the volume encryption
key, are scoped to a project.
# Workaround
I added the following policy.json:
{
"secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator",
"secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or role:key-manager:migrator"
}
Then assigned the migrating user the key-manager:migrator role in
their project. This allows migration and evacuation to succeed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1895848/+subscriptions
