Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: barbican-operator
Labels:
None

Epic Link:
[BugEpic]: Barbican config should allow seamless admin controlled migrations, evacuations, unshelve operations for encrypted volumes
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs Approval:
?
AssignedTeam:
rhos-ops-platform-services-security
Regression:
None
Intelligence Requested:
Market:
PX Impact Score:
PX Review Complete:

Severity:
Important

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Barbican config should allow seamless admin controlled migrations, evacuations, unshelve operations for encrypted volumes

The default config will fail for admin directed operations like migrations, evacuations, unshelve operations with the following:


Key manager error: Forbidden: Secret payload retrieval attempt not allowed - please review your user/project privileges

This impacts features like instanceHA and Watcher also.

Here is a policy work-around for this issue (from Douglas Mendizábal)

spec:
 ...
   barbican:
   ...
    template:
      barbicanAPI:
        customServiceConfig: |
          [oslo_policy]
          policy_file=/etc/barbican/barbican.conf.d/policy.yaml
        defaultConfigOverwrite:
          policy.yaml: |
            "secret:decrypt": "role:admin or rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private) or rule:secret_acl_read"

Assignee:: Douglas Mendizabal

Reporter:: Mathew Flusche

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/11/14 2:30 PM

Updated:: 2025/11/24 2:10 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty