Add "admin" role to the designate user created by devstack plugin

Service user with name "designate" had only "service" role up to now but it seems that with oslo.policy 4.4.0 where "enforce_new_defaults" is set to True by default, this breaks integration between Neutron and Designate as e.g. Neutron's creation of the recordset fails with Forbidden exception as this seems to be allowed only for admin user or shared or primary zone. This patch adds also "admin" role for this "designate" service user to workaround that issue, at least until Designate will support "service" role usage with Secure RBAC policies. Closes-Bug: #2078518 Change-Id: I477cc96519e7396a614f92d109867222207ec388
2024-09-03 10:49:04 +02:00 · 2024-09-03 10:49:04 +02:00 · 4388f00d26
commit 4388f00d26
parent cfa330c0fd
1 changed files with 1 additions and 1 deletions
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -188,7 +188,7 @@ function create_designate_accounts {
    local designate_api_url

    if is_service_enabled designate-api; then
-        create_service_user "designate"
+        create_service_user "designate" "admin"

        designate_api_url="$DESIGNATE_SERVICE_PROTOCOL://$DESIGNATE_SERVICE_HOST/dns"