Add a global configuration option for secure RBAC

This commit adds a single option that we can use to turn secure RBAC on
in all the OpenStack services. This is a contrasting approach to using
service-specific variables.

We don't intend anyone to use this functionality until we can update
each OpenStack service to use the correct token when communicating with
other services. Deployers should also only use this if they are sure all
services in their deployment actually support secure RBAC, which might
not be for a while, but this allows us to lay down the plumbing in each
service to turn it on now, which will be useful for testing and flushing
out what we need to change in TripleO as well as the upstream services.

Change-Id: I13262a4f1a6e850d66b2c687e730e0c2004c1f29
This commit is contained in:
Lance Bragstad 2021-08-27 20:34:51 +00:00
parent 8e56ceb957
commit 57a8efd407

View File

@ -391,6 +391,17 @@ parameters:
default: ''
type: string
hidden: true
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
parameter_groups:
- label: deprecated