From 2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6 Mon Sep 17 00:00:00 2001
From: Ghanshyam Maan <gmaan@ghanshyammann.com>
Date: Thu, 28 Aug 2025 03:39:25 +0000
Subject: [PATCH] Configure glance user in cinder conf

Cinder talk to glance for new image location APIs which
are default to 'service' role[1]. That needs cinder to have
the glance service user configured. We need to assign admin
role also to service user so that it can access images from
glance.

Needed-By: https://review.opendev.org/c/openstack/glance/+/958715

[1] https://review.opendev.org/c/openstack/glance/+/958715

Change-Id: I52d118672c053b9d6890bc6289bf12dcf5d7dce3
Signed-off-by: Ghanshyam Maan <gmaan@ghanshyammann.com>
---
 lib/cinder | 3 +++
 lib/glance | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/cinder b/lib/cinder
index eb8a63dbfc..aef6854062 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -419,6 +419,9 @@ function configure_cinder {
         iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE
     fi
 
+    # Set glance credentials (used for location APIs)
+    configure_keystone_authtoken_middleware $CINDER_CONF glance glance
+
     # Set nova credentials (used for os-assisted-snapshots)
     configure_keystone_authtoken_middleware $CINDER_CONF nova nova
     iniset $CINDER_CONF nova region_name "$REGION_NAME"
diff --git a/lib/glance b/lib/glance
index b596b53271..31a9ae9745 100644
--- a/lib/glance
+++ b/lib/glance
@@ -503,7 +503,9 @@ function configure_glance {
 function create_glance_accounts {
     if is_service_enabled g-api; then
 
-        create_service_user "glance"
+        # When cinder talk to glance service APIs user needs service
+        # role for RBAC checks and admin role for cinder to access images.
+        create_service_user "glance" "admin"
 
         # required for swift access
         if is_service_enabled s-proxy; then