30 lines
1.5 KiB
YAML
30 lines
1.5 KiB
YAML
|
---
|
||
|
upgrade:
|
||
|
- |
|
||
|
To let clusters communicate directly with OpenStack service other than
|
||
|
Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
|
||
|
True. The default value is False.
|
||
|
security:
|
||
|
- |
|
||
|
Every magnum cluster is assigned a trustee user and a trustID. This user is
|
||
|
used to allow clusters communicate with the key-manager service (Barbican)
|
||
|
and get the certificate authority of the cluster. This trust user can be
|
||
|
used by other services too. It can be used to let the cluster authenticate
|
||
|
with other OpenStack services like the Block Storage service, Object
|
||
|
Storage service, Load Balancing etc. The cluster with this user and the
|
||
|
trustID has full access to the trustor's OpenStack project. A new
|
||
|
configuration parameter has been added to restrict the access to other
|
||
|
services than Magnum.
|
||
|
fixes:
|
||
|
- |
|
||
|
Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
|
||
|
to be re-created to benefit from this fix. Part of this fix is the newly
|
||
|
introduced setting `cluster_user_trust` in the `trust` section of
|
||
|
magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
|
||
|
whether to allow passing a trust ID into a cluster's instances. For most
|
||
|
clusters this capability is not needed. Clusters with
|
||
|
`registry_enabled=True` or `volume_driver=rexray` will need this
|
||
|
capability. Other features that require this capability may be introduced
|
||
|
in the future. To be able to create such clusters you will need to set
|
||
|
`cluster_user_trust` to True.
|