Ask Your Question
0

can a normal user create an encrypted volume?

asked 2016-09-24 06:55:59 -0600

updated 2016-09-24 18:58:34 -0600

The admin guide for Mitaka indicates that admin credentials are required to create an encrypted volume. A Mitaka cloud I am currently playing with confirms this.

If this is true, is there a way to configure a cloud so that normal users can protect their data at rest?

EDIT: The error message I am getting when creating an encrypted volume indicates that I can't order a secret with Barbican. And indeed:

$ barbican secret order create key
Starting new HTTPS connection (1): 10.41.148.9
Starting new HTTPS connection (1): 10.41.172.4
4xx Client error: Forbidden
Forbidden
$ barbican secret list
Starting new HTTPS connection (1): 10.41.148.9
Starting new HTTPS connection (1): 10.41.172.4
4xx Client error: Forbidden
Forbidden

So my question is now: How can I configure Barbican so that a normal user can use it?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2016-09-26 01:58:32 -0600

updated 2016-09-26 02:01:03 -0600

It turns out that Barbican requires users to have the creator role (or one of the other roles documented on the Barbican RBAC page http://docs.openstack.org/developer/b...) for creating and using secrets.

Unfortunately non-developer guides on docs.openstack.org fail to mention this detail. In fact, there is no Key Management section in these guides, although volume encryption is covered in the config guide.

edit flag offensive delete link more
0

answered 2016-09-25 15:14:59 -0600

theque42 gravatar image

I dont know this specific issue, but if this a limitation caused by policy restriction, then creating a new role and modifying policy.json apropriately should solve it. It least it worked for enabling a normal user to perform live migration.

edit flag offensive delete link more

Comments

You are right. Details in the second answer. Thanks!

Bernd Bausch gravatar imageBernd Bausch ( 2016-09-26 01:53:14 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2016-09-24 06:55:59 -0600

Seen: 96 times

Last updated: Sep 26 '16