Hey Sean,
On 06/05/2021 18:29, Sean Mooney wrote:
that woudl make sense give the externa event api is admin only and only inteed to be use by services so the fix would be for cidner to use an admin credtial not the user one to send the event to nova.
Thanks, yes and that can just be achieved by configuring one which is then used for such calls.
But instead of a fully privileged "admin" user there rather should exist a proper RBAC role to only allow one service (cinder in this case) to do what it required to function (e.g. send events to Nova) and not just "everything for every other service". This first of all violates the least privilege principle, but in an ecosystem that made up of individual projects of varying security qualities and which are highly distributed it's just a bad idea to give every component and their dog the keys to the kindom.
There was a forum on exactly that issue at the Summit and how that is one aspect of the RBAC , see the etherpad: https://etherpad.opendev.org/p/deprivilization-of-service-accounts
Regards
Christian