---
upgrade:
  - |
    To let clusters communicate directly with OpenStack service other than
    Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
    True. The default value is False.
security:
  - |
    Every magnum cluster is assigned a trustee user and a trustID. This user is
    used to allow clusters communicate with the key-manager service (Barbican)
    and get the certificate authority of the cluster. This trust user can be
    used by other services too. It can be used to let the cluster authenticate
    with other OpenStack services like the Block Storage service, Object
    Storage service, Load Balancing etc. The cluster with this user and the
    trustID has full access to the trustor's OpenStack project. A new
    configuration parameter has been added to restrict the access to other
    services than Magnum.
fixes:
  - |
    Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
    to be re-created to benefit from this fix. Part of this fix is the newly
    introduced setting `cluster_user_trust` in the `trust` section of
    magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
    whether to allow passing a trust ID into a cluster's instances. For most
    clusters this capability is not needed. Clusters with
    `registry_enabled=True` or `volume_driver=rexray` will need this
    capability. Other features that require this capability may be introduced
    in the future. To be able to create such clusters you will need to set
    `cluster_user_trust` to True.