From f535c8459135fc841cd31a35c0084698cd33f7cc Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Fri, 9 Feb 2024 15:37:20 +0000
Subject: [PATCH] Add sufficient detail the the app creds fixes

Specify that app creds in Yoga are affected by the lack of implicit
roles, so no assumptions are made that a system is safe if it is a
relatively new deployment.

Add a note to the issue of implicit reader roles seen at Bristol Uni.

Add instructions on how to add the reader role to existing app creds,
taken from Slack conversations
---
 doc/source/operations/upgrading.rst | 44 +++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst
index dffce4399..57a86f079 100644
--- a/doc/source/operations/upgrading.rst
+++ b/doc/source/operations/upgrading.rst
@@ -66,8 +66,48 @@ Some things to watch out for:
   required by the secure RBAC policies.
 * Application credentials generated before the existence of any implicit roles
   will not be granted those roles. This may include the ``reader`` role, which
-  is referenced in some of the new secure RBAC policies.  See `Keystone bug
-  2030061 <https://bugs.launchpad.net/keystone/+bug/2030061>`_.
+  is referenced in some of the new secure RBAC policies. This issue has been
+  seen in app creds generated in the Yoga release. See `Keystone bug 2030061
+  <https://bugs.launchpad.net/keystone/+bug/2030061>`_.
+
+  While the Keystone docs suggest that the ``member`` role should imply the
+  ``reader`` role, it has been seen at a customer that newly-generated app
+  creds in the Antelope release may need both the ``member`` and ``reader``
+  role specified.
+
+  Here are some SQL scripts you can call to first see if any app creds are
+  affected, and then add the reader role where needed. It is recommended to
+  `backup the database
+  <https://docs.openstack.org/kayobe/latest/administration/overcloud.html#performing-database-backups>`__
+  before running these.
+
+  .. code-block:: sql
+
+     docker exec -it mariadb bash
+     mysql -u root -p  keystone
+     # Enter the database password when prompted.
+
+     SELECT application_credential.internal_id, role.id AS reader_role_id
+     FROM application_credential, role
+     WHERE role.name = 'reader'
+     AND NOT EXISTS (
+         SELECT 1
+         FROM application_credential_role
+         WHERE application_credential_role.application_credential_id = application_credential.internal_id
+         AND application_credential_role.role_id = role.id
+     );
+
+     INSERT INTO application_credential_role (application_credential_id, role_id)
+     SELECT application_credential.internal_id, role.id
+     FROM application_credential, role
+     WHERE role.name = 'reader'
+     AND NOT EXISTS (
+         SELECT 1
+         FROM application_credential_role
+         WHERE application_credential_role.application_credential_id = application_credential.internal_id
+         AND application_credential_role.role_id = role.id
+     );
+
 * If you have overwritten ``[auth] tempest_roles`` in your Tempest config, such
   as to add the ``creator`` role for Barbican, you will need to also add the
   ``member role``. eg: