From d9aa5c7077bc59e66f1456eaf94ef628e1b3f2e0 Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <strigazi@gmail.com>
Date: Tue, 28 Mar 2017 11:58:10 +0200
Subject: [PATCH] Add reno for cluster_user_trust option

Add release notes for the new configuration parameter
cluster_user_trust which was introduced in the fix
for CVE-2016-7404.

Change-Id: Iae14491471254e5f4b6d766290d44762043ee259
Related-Bug: #1620536
---
 .../notes/CVE-2016-7404-f53e62a4a40e4d30.yaml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml

diff --git a/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml b/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml
new file mode 100644
index 0000000000..2edb4102e7
--- /dev/null
+++ b/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml
@@ -0,0 +1,29 @@
+---
+upgrade:
+  - |
+    To let clusters communicate directly with OpenStack service other than
+    Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
+    True. The default value is False.
+security:
+  - |
+    Every magnum cluster is assigned a trustee user and a trustID. This user is
+    used to allow clusters communicate with the key-manager service (Barbican)
+    and get the certificate authority of the cluster. This trust user can be
+    used by other services too. It can be used to let the cluster authenticate
+    with other OpenStack services like the Block Storage service, Object
+    Storage service, Load Balancing etc. The cluster with this user and the
+    trustID has full access to the trustor's OpenStack project. A new
+    configuration parameter has been added to restrict the access to other
+    services than Magnum.
+fixes:
+  - |
+    Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
+    to be re-created to benefit from this fix. Part of this fix is the newly
+    introduced setting `cluster_user_trust` in the `trust` section of
+    magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
+    whether to allow passing a trust ID into a cluster's instances. For most
+    clusters this capability is not needed. Clusters with
+    `registry_enabled=True` or `volume_driver=rexray` will need this
+    capability. Other features that require this capability may be introduced
+    in the future. To be able to create such clusters you will need to set
+    `cluster_user_trust` to True.