openstack
/
instack-undercloud
Code Issues Proposed changes

[queens-only] Increase auth_ttl for ec2token expiry 

The recently added default of 15 mins for CVE-2020-12692 in keystone
 may not work with undercloud where deployments can run for long
time. Let's keep it large enough to avoid it's expiration during
a overcloud deployment before the stack action times out.

Change-Id: I217192b8563e615dffc590f9d548883e0f1b38de
Related-Bug: #1872737
This commit is contained in:
Michele Baldessari 2020-06-04 09:39:32 +02:00
parent a728f945ff
commit 2323fd3b7e
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
elements/puppet-stack-config/puppet-stack-config.yaml.template
View File

@ -239,6 +239,10 @@ keystone::enable_credential_setup: true
keystone::fernet_max_active_keys: 2
keystone::cache_memcache_servers: "%{hiera('memcached::listen_ip')}:11211"
keystone::cache_backend: "dogpile.cache.memcached"
# CVE-2020-12692 set the default of 15 mins for ttl in keystone, we need that to be a lot higher
keystone::config::keystone_config:
credential/auth_ttl:
value: 240
# MySQL
admin_password: {{UNDERCLOUD_ADMIN_PASSWORD}}