Allow neutron to configure secure RBAC options

This updates the neutron api container to set the appropriate configuration options when EnforceSecureRbac is True. This will be needed when more OpenStack services support system-scope and deployers want to enable those personas. Conflicts: deployment/neutron/neutron-api-container-puppet.yaml Change-Id: I6dc238c2b59c5c1d89d54a2dd1fbf7cef0d16313 (cherry picked from commit 8e28fde39c)
2021-08-30 09:57:00 +02:00 · 2021-08-30 09:57:00 +02:00 · 4f0ad599b8
commit 4f0ad599b8
parent 0276fd099f
2 changed files with 23 additions and 0 deletions
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -191,6 +191,17 @@ parameters:
    description: |
      Seconds to regard the agent as down; should be at least twice
      NeutronGlobalReportInterval, to be sure the agent is down for good.
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.

 parameter_groups:
 - label: deprecated
@ -295,6 +306,10 @@ outputs:
                        read_default_group: tripleo

            neutron::policy::policies: {get_param: NeutronApiPolicies}
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - neutron::policy::enforce_scope: true
+              neutron::policy::enforce_new_defaults: true
            neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}
--- a/releasenotes/notes/enable-secure-rbac-for-neutron-842bd41339a48f26.yaml
+++ b/releasenotes/notes/enable-secure-rbac-for-neutron-842bd41339a48f26.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Neutron can now be configured to support secure RBAC using
+    `EnforceSecureRbac`. Note, you may not be able to use this until Neutron
+    upstream has support for common RBAC `personas
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_.
+