From 4388f00d267c4090b7de6bc94da9e2970abdf0cc Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Tue, 3 Sep 2024 10:49:04 +0200 Subject: [PATCH] Add "admin" role to the designate user created by devstack plugin Service user with name "designate" had only "service" role up to now but it seems that with oslo.policy 4.4.0 where "enforce_new_defaults" is set to True by default, this breaks integration between Neutron and Designate as e.g. Neutron's creation of the recordset fails with Forbidden exception as this seems to be allowed only for admin user or shared or primary zone. This patch adds also "admin" role for this "designate" service user to workaround that issue, at least until Designate will support "service" role usage with Secure RBAC policies. Closes-Bug: #2078518 Change-Id: I477cc96519e7396a614f92d109867222207ec388 --- devstack/plugin.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index f177c6110..cdac1b964 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -188,7 +188,7 @@ function create_designate_accounts { local designate_api_url if is_service_enabled designate-api; then - create_service_user "designate" + create_service_user "designate" "admin" designate_api_url="$DESIGNATE_SERVICE_PROTOCOL://$DESIGNATE_SERVICE_HOST/dns"