From ce6e44c8be27d483cf9b01f0163b2b702ae7146e Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@osism.tech>
Date: Sat, 18 May 2024 15:16:22 +0200
Subject: [PATCH] Assign the service role to all service accounts (#1379)

Signed-off-by: Christian Berendt <berendt@osism.tech>
---
 doc/source/notes/7.rst | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/doc/source/notes/7.rst b/doc/source/notes/7.rst
index b19d3e52..c0982d7a 100644
--- a/doc/source/notes/7.rst
+++ b/doc/source/notes/7.rst
@@ -381,6 +381,38 @@ Upgrade notes
   the output of ``openstack --os-cloud admin role list``. If it does not exist, it can
   be created with ``openstack --os-cloud admin role create service``.
 
+  This ``service`` role is required by the service accounts for authentication after the
+  upgrade of the OpenStack services. To avoid problems during the upgrade, it is important
+  to assign this role to all existing service accounts in advance.
+
+  .. code-block:: none
+
+     # List all users in the project service with the admin role. The existing service
+     # accounts depend on the deployed services and may vary.
+     $ openstack --os-cloud admin role assignment list --names --role admin --project service
+     +-------+--------------------------+-------+-----------------+--------+--------+-----------+
+     | Role  | User                     | Group | Project         | Domain | System | Inherited |
+     +-------+--------------------------+-------+-----------------+--------+--------+-----------+
+     | admin | ironic@Default           |       | service@Default |        |        | False     |
+     | admin | neutron@Default          |       | service@Default |        |        | False     |
+     | admin | gnocchi@Default          |       | service@Default |        |        | False     |
+     | admin | swift@Default            |       | service@Default |        |        | False     |
+     | admin | nova@Default             |       | service@Default |        |        | False     |
+     | admin | placement@Default        |       | service@Default |        |        | False     |
+     | admin | cinder@Default           |       | service@Default |        |        | False     |
+     | admin | glance@Default           |       | service@Default |        |        | False     |
+     | admin | designate@Default        |       | service@Default |        |        | False     |
+     | admin | octavia@Default          |       | service@Default |        |        | False     |
+     | admin | skyline@Default          |       | service@Default |        |        | False     |
+     | admin | ironic-inspector@Default |       | service@Default |        |        | False     |
+     | admin | ceilometer@Default       |       | service@Default |        |        | False     |
+     +-------+--------------------------+-------+-----------------+--------+--------+-----------+
+
+     # Assign the service role to all users in the project service (repeat this step for every
+     # user in the list.
+     $ openstack --os-cloud admin role add --user ironic --project service service
+     [...]
+
 * The use of ProxySQL for MariaDB is now possible and it is possible to switch
   to it as part of the upgrade. It is not mandatory and there is no recommendation.
   The parameter ``enable_proxysql`` is added to ``environments/kolla/configuration.yml``