Add a configuration option to enable secure RBAC in Heat

This adds a new option called EnableSecureRbac so that you can enable secure RBAC with keystone in TripleO deployments. This option sets the necessary oslo.policy configuration options in Heat's configuration file so support secure RBAC. Change-Id: I865623feb4338c8f51b56d9916fe20f2c515a86e Signed-off-by: Kevin Carter <kecarter@redhat.com> (cherry picked from commit 613dd92d87)
2021-08-11 11:56:31 -05:00 · 2021-08-11 11:56:31 -05:00 · 4163c52d0e
parent 59cf7eb9c0
commit 4163c52d0e
1 changed files with 15 additions and 0 deletions
--- a/deployment/heat/heat-base-puppet.yaml
+++ b/deployment/heat/heat-base-puppet.yaml
@ -140,6 +140,17 @@ parameters:
    description: |
      Use the advanced (eventlet safe) memcached client pool.
    default: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.

 conditions:
  tls_cache_enabled:
@ -156,6 +167,10 @@ outputs:
      service_name: heat_base
      config_settings:
        map_merge:
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - heat::policy::enforce_scope: true
+              heat::policy::enforce_new_defaults: true
          - if:
            - cors_allowed_origin_set
            - heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}