magnum/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4...

30 lines
1.5 KiB
YAML

---
upgrade:
- |
To let clusters communicate directly with OpenStack service other than
Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
True. The default value is False.
security:
- |
Every magnum cluster is assigned a trustee user and a trustID. This user is
used to allow clusters communicate with the key-manager service (Barbican)
and get the certificate authority of the cluster. This trust user can be
used by other services too. It can be used to let the cluster authenticate
with other OpenStack services like the Block Storage service, Object
Storage service, Load Balancing etc. The cluster with this user and the
trustID has full access to the trustor's OpenStack project. A new
configuration parameter has been added to restrict the access to other
services than Magnum.
fixes:
- |
Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
to be re-created to benefit from this fix. Part of this fix is the newly
introduced setting `cluster_user_trust` in the `trust` section of
magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
whether to allow passing a trust ID into a cluster's instances. For most
clusters this capability is not needed. Clusters with
`registry_enabled=True` or `volume_driver=rexray` will need this
capability. Other features that require this capability may be introduced
in the future. To be able to create such clusters you will need to set
`cluster_user_trust` to True.