openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Allow keystone to configure secure RBAC options"

Browse Source
This commit is contained in:
Zuul 2022-01-12 02:57:14 +00:00 committed by Gerrit Code Review
commit 1f871217c2
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deployment/keystone/keystone-container-puppet.yaml
View File

@ -626,6 +626,10 @@ outputs:
keystone::using_domain_config: True keystone::using_domain_config: True
tripleo::profile::base::keystone::ldap_backends_config: tripleo::profile::base::keystone::ldap_backends_config:
get_param: KeystoneLDAPBackendConfigs get_param: KeystoneLDAPBackendConfigs
- if:
- {get_param: EnforceSecureRbac}
- keystone::policy::enforce_scope: true
keystone::policy::enforce_new_defaults: true
- if: - if:
- change_password_upon_first_use_set - change_password_upon_first_use_set
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse} - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}

9
releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
Keystone can now be configured to support secure RBAC `personas
<https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_
with the `EnforceSecureRbac` setting. Note that deployments with mixed permission
models will have unexpected side-effects. Setting this option won't have
meaningful effect until all services in your deployment support secure RBAC
personas.