Browse Source

Merge "Allow keystone to configure secure RBAC options"

changes/57/824357/1
Zuul 4 months ago committed by Gerrit Code Review
parent
commit
1f871217c2
  1. 4
      deployment/keystone/keystone-container-puppet.yaml
  2. 9
      releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml

4
deployment/keystone/keystone-container-puppet.yaml

@ -626,6 +626,10 @@ outputs:
keystone::using_domain_config: True
tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs
- if:
- {get_param: EnforceSecureRbac}
- keystone::policy::enforce_scope: true
keystone::policy::enforce_new_defaults: true
- if:
- change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}

9
releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml

@ -0,0 +1,9 @@
---
features:
- |
Keystone can now be configured to support secure RBAC `personas
<https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_
with the `EnforceSecureRbac` setting. Note that deployments with mixed permission
models will have unexpected side-effects. Setting this option won't have
meaningful effect until all services in your deployment support secure RBAC
personas.
Loading…
Cancel
Save