Open maliblatt opened 2 years ago
@matfechner Are you looking at this as part of the Encryption topic? I think it makes sense as a 1st step in the testbed to activate the Barbican service. So far this is not yet the case.
@berendt barbican is still active:
https://github.com/osism/testbed/blob/main/environments/kolla/configuration.yml ... enable_barbican: "yes" ...
It's more of an enhancement than a bug. It is not possible by design.
I totally agree here with @berendt that modifying policy in a way to allow admin read any secret of any user is totally a security issue and should not be considered as normal practise. Yes, that would ease operations, sure, but basically any user with specific role will be able to decrypt anything that was encrypted for $reason. So I'm not sure this path should be really documented except - you can do this at your own risk.
When trying to live-migrate an instance with crypted volume or when trying to empty a hypervisor with the migrate-host feature, it will fail with an error like this:
As a workaround, we have modified the barbican policy to allow admin to retrieve the secrets for migrating instances from other projects, so that live-migrating is now working for us. May be this should be integrated in OSISM?