Add a configuration option to enable secure RBAC in Heat
This adds a new option called EnableSecureRbac so that you can
enable secure RBAC with keystone in TripleO deployments.
This option sets the necessary oslo.policy configuration options in
Heat's configuration file so support secure RBAC.
Change-Id: I865623feb4338c8f51b56d9916fe20f2c515a86e
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 613dd92d87
)
This commit is contained in:
parent
59cf7eb9c0
commit
4163c52d0e
|
@ -140,6 +140,17 @@ parameters:
|
||||||
description: |
|
description: |
|
||||||
Use the advanced (eventlet safe) memcached client pool.
|
Use the advanced (eventlet safe) memcached client pool.
|
||||||
default: true
|
default: true
|
||||||
|
EnforceSecureRbac:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
description: >-
|
||||||
|
Setting this option to True will configure each OpenStack service to
|
||||||
|
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
||||||
|
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
||||||
|
of RBAC personas across OpenStack services that include support for
|
||||||
|
system and project scope, as well as keystone's default roles, admin,
|
||||||
|
member, and reader. Do not enable this functionality until all services in
|
||||||
|
your deployment actually support secure RBAC.
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
tls_cache_enabled:
|
tls_cache_enabled:
|
||||||
|
@ -156,6 +167,10 @@ outputs:
|
||||||
service_name: heat_base
|
service_name: heat_base
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
- if:
|
||||||
|
- {get_param: EnforceSecureRbac}
|
||||||
|
- heat::policy::enforce_scope: true
|
||||||
|
heat::policy::enforce_new_defaults: true
|
||||||
- if:
|
- if:
|
||||||
- cors_allowed_origin_set
|
- cors_allowed_origin_set
|
||||||
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
|
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
|
||||||
|
|
Loading…
Reference in New Issue