Cinder: add creator role when barbican is enabled

When barbican is enabled, add the "creator" role to cinder's service user so that cinder can create secrets. Cinder needs to create barbican secrets when migrating encryption keys from the legacy ConfKeyManager to barbican. Cinder also needs to create barbican secrets in order to support transferring encrypted volumes. Implements: bp/transfer-encrypted-volume Depends-On: I216f78e8a300ab3f79bbcbb38110adf2bbec2196 Change-Id: Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
2022-08-10 10:30:19 -07:00 · 2022-08-10 10:30:19 -07:00 · ccd116d364
commit ccd116d364
parent 28ee346393
1 changed files with 11 additions and 3 deletions
--- a/lib/cinder
+++ b/lib/cinder
@ -388,16 +388,24 @@ function configure_cinder {

 # create_cinder_accounts() - Set up common required cinder accounts

-# Tenant               User       Roles
+# Project              User       Roles
 # ------------------------------------------------------------------
-# service              cinder     admin        # if enabled
+# SERVICE_PROJECT_NAME cinder     service
+# SERVICE_PROJECT_NAME cinder     creator (if Barbican is enabled)

 # Migrated from keystone_data.sh
 function create_cinder_accounts {
    # Cinder
    if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then

-        create_service_user "cinder"
+        local extra_role=""
+
+        # cinder needs the "creator" role in order to interact with barbican
+        if is_service_enabled barbican; then
+            extra_role=$(get_or_create_role "creator")
+        fi
+
+        create_service_user "cinder" $extra_role

        # block-storage is the official service type
        get_or_create_service "cinder" "block-storage" "Cinder Volume Service"