Cinder: add creator role when barbican is enabled
When barbican is enabled, add the "creator" role to cinder's service
user so that cinder can create secrets. Cinder needs to create
barbican secrets when migrating encryption keys from the legacy
ConfKeyManager to barbican. Cinder also needs to create barbican
secrets in order to support transferring encrypted volumes.
Implements: bp/transfer-encrypted-volume
Depends-On: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
Change-Id: Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
diff --git a/lib/cinder b/lib/cinder
index ca2c084..7dd7539 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -388,16 +388,24 @@
# create_cinder_accounts() - Set up common required cinder accounts
-# Tenant User Roles
+# Project User Roles
# ------------------------------------------------------------------
-# service cinder admin # if enabled
+# SERVICE_PROJECT_NAME cinder service
+# SERVICE_PROJECT_NAME cinder creator (if Barbican is enabled)
# Migrated from keystone_data.sh
function create_cinder_accounts {
# Cinder
if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
- create_service_user "cinder"
+ local extra_role=""
+
+ # cinder needs the "creator" role in order to interact with barbican
+ if is_service_enabled barbican; then
+ extra_role=$(get_or_create_role "creator")
+ fi
+
+ create_service_user "cinder" $extra_role
# block-storage is the official service type
get_or_create_service "cinder" "block-storage" "Cinder Volume Service"