0bb0d6486d
This commit addresses multiple potential vulnerabilities in Magnum. It makes the following changes: * Permissions for /etc/sysconfig/heat-params inside Magnum created instances are tightened to 0600 (used to be 0755). * Certificate retrieval is modified to work without the need for a Keystone trust. * The cluster's Keystone trust id is only passed into instances for clusters where that is actually needed. This prevents the trustee user from consuming the trust in cases where it is not needed. * The configuration setting trust/cluster_user_trust (False by default) is introduced. It needs to be explicitely enabled by the cloud operator to allow clusters that need the trust_id to be passed into instances to work. Without this setting, attempts to create such clusters will fail. Please note, that none of these changes apply to existing clusters. They will have to be deleted and rebuilt to benefit from these changes. (cherry picked from commit e93d82e8b3bc19211efd54edc17aebdca50670c1) Changes for backport: * Moved cluster_user_trust setting to magnum/common/keystone.py * Resolved merge conflicts. * Fixed unit tests with configuration overrides. Change-Id: I408d845ee4fd00d5bcd1e90f0a78f2bba3f2a57a
Magnum
Magnum is an OpenStack project which offers container orchestration engines for deploying and managing containers as first class resources in OpenStack.
For more information, please refer to the following resources:
- Free software: under the Apache license
- Documentation: http://docs.openstack.org/developer/magnum
- Source: http://git.openstack.org/cgit/openstack/magnum
- Blueprints: https://blueprints.launchpad.net/magnum
- Bugs: http://bugs.launchpad.net/magnum
- REST Client: http://git.openstack.org/cgit/openstack/python-magnumclient