Browse Source

Add reno for cluster_user_trust option

Add release notes for the new configuration parameter
cluster_user_trust which was introduced in the fix
for CVE-2016-7404.

(cherry picked from commit 4d4e98157e)

Change-Id: Ia59bd3ec543f6e9b53ddb4c107d6a44d198eb9d7
Related-Bug: #1620536
Spyros Trigazis 2 years ago
parent
commit
aaa94e1a28
1 changed files with 29 additions and 0 deletions
  1. 29
    0
      releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml

+ 29
- 0
releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml View File

@@ -0,0 +1,29 @@
1
+---
2
+upgrade:
3
+  - |
4
+    To let clusters communicate directly with OpenStack service other than
5
+    Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
6
+    True. The default value is False.
7
+security:
8
+  - |
9
+    Every magnum cluster is assigned a trustee user and a trustID. This user is
10
+    used to allow clusters communicate with the key-manager service (Barbican)
11
+    and get the certificate authority of the cluster. This trust user can be
12
+    used by other services too. It can be used to let the cluster authenticate
13
+    with other OpenStack services like the Block Storage service, Object
14
+    Storage service, Load Balancing etc. The cluster with this user and the
15
+    trustID has full access to the trustor's OpenStack project. A new
16
+    configuration parameter has been added to restrict the access to other
17
+    services than Magnum.
18
+fixes:
19
+  - |
20
+    Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
21
+    to be re-created to benefit from this fix. Part of this fix is the newly
22
+    introduced setting `cluster_user_trust` in the `trust` section of
23
+    magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
24
+    whether to allow passing a trust ID into a cluster's instances. For most
25
+    clusters this capability is not needed. Clusters with
26
+    `registry_enabled=True` or `volume_driver=rexray` will need this
27
+    capability. Other features that require this capability may be introduced
28
+    in the future. To be able to create such clusters you will need to set
29
+    `cluster_user_trust` to True.

Loading…
Cancel
Save