From 03c12abbcc107bfec451f4558bc97d14facae01c Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Wed, 10 May 2023 20:58:47 +0100 Subject: [PATCH] always add service_user section to nova.conf As of I3629b84d3255a8fe9d8a7cea8c6131d7c40899e8 nova now requires the service_user section to be configured to address CVE-2023-2088. This change adds the service user section to the nova.conf template in the nova and nova-cell roles. Related-Bug: #2004555 Signed-off-by: Sven Kieske Change-Id: I2189dafca070accfd8efcd4b8cc4221c6decdc9f (cherry picked from commit a77ea13ef1991543df29b7eea14b1f91ef26f858) --- ansible/roles/cinder/templates/cinder.conf.j2 | 5 +++++ ansible/roles/nova-cell/templates/nova.conf.j2 | 13 +++++++++++++ ansible/roles/nova/templates/nova.conf.j2 | 13 +++++++++++++ .../notes/cve-2023-2088-51e7e050be2139bf.yaml | 9 +++++++++ 4 files changed, 40 insertions(+) create mode 100644 releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index 229b6a58a9..541e8c14bd 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -109,6 +109,11 @@ max_pool_size = {{ database_max_pool_size }} max_retries = -1 [keystone_authtoken] +# security fix, always validate service tokens +# see: https://security.openstack.org/ossa/OSSA-2023-003.html +# and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting +service_token_roles_required = true +service_token_roles = admin www_authenticate_uri = {{ keystone_internal_url }} auth_url = {{ keystone_admin_url }} auth_type = password diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2 index 30fda9231f..55fb10838d 100644 --- a/ansible/roles/nova-cell/templates/nova.conf.j2 +++ b/ansible/roles/nova-cell/templates/nova.conf.j2 @@ -258,3 +258,16 @@ track_instance_changes = false [pci] passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }} {% endif %} + +[service_user] +send_service_user_token = true +auth_url = {{ keystone_internal_url }} +auth_type = password +project_domain_id = {{ default_project_domain_id }} +user_domain_id = {{ default_user_domain_id }} +project_name = service +username = {{ nova_keystone_user }} +password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert }} +region_name = {{ openstack_region_name }} +valid_interfaces = internal diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index fdd797bca9..38428039ac 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -202,3 +202,16 @@ auth_endpoint = {{ keystone_internal_url }} barbican_endpoint_type = internal verify_ssl_path = {{ openstack_cacert }} {% endif %} + +[service_user] +send_service_user_token = true +auth_url = {{ keystone_internal_url }} +auth_type = password +project_domain_id = {{ default_project_domain_id }} +user_domain_id = {{ default_user_domain_id }} +project_name = service +username = {{ nova_keystone_user }} +password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert }} +region_name = {{ openstack_region_name }} +valid_interfaces = internal diff --git a/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml b/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml new file mode 100644 index 0000000000..072da3a795 --- /dev/null +++ b/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Configuration of service user tokens for all Nova and Cinder services + is now done automatically, to ensure security of block-storage volume + data. + + See `LP#[2004555] `__ for + more details.