d9aa5c7077
Add release notes for the new configuration parameter cluster_user_trust which was introduced in the fix for CVE-2016-7404. Change-Id: Iae14491471254e5f4b6d766290d44762043ee259 Related-Bug: #1620536
30 lines
1.5 KiB
YAML
30 lines
1.5 KiB
YAML
---
|
|
upgrade:
|
|
- |
|
|
To let clusters communicate directly with OpenStack service other than
|
|
Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
|
|
True. The default value is False.
|
|
security:
|
|
- |
|
|
Every magnum cluster is assigned a trustee user and a trustID. This user is
|
|
used to allow clusters communicate with the key-manager service (Barbican)
|
|
and get the certificate authority of the cluster. This trust user can be
|
|
used by other services too. It can be used to let the cluster authenticate
|
|
with other OpenStack services like the Block Storage service, Object
|
|
Storage service, Load Balancing etc. The cluster with this user and the
|
|
trustID has full access to the trustor's OpenStack project. A new
|
|
configuration parameter has been added to restrict the access to other
|
|
services than Magnum.
|
|
fixes:
|
|
- |
|
|
Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
|
|
to be re-created to benefit from this fix. Part of this fix is the newly
|
|
introduced setting `cluster_user_trust` in the `trust` section of
|
|
magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
|
|
whether to allow passing a trust ID into a cluster's instances. For most
|
|
clusters this capability is not needed. Clusters with
|
|
`registry_enabled=True` or `volume_driver=rexray` will need this
|
|
capability. Other features that require this capability may be introduced
|
|
in the future. To be able to create such clusters you will need to set
|
|
`cluster_user_trust` to True.
|