Add a global configuration option for secure RBAC
This commit adds a single option that we can use to turn secure RBAC on in all the OpenStack services. This is a contrasting approach to using service-specific variables. We don't intend anyone to use this functionality until we can update each OpenStack service to use the correct token when communicating with other services. Deployers should also only use this if they are sure all services in their deployment actually support secure RBAC, which might not be for a while, but this allows us to lay down the plumbing in each service to turn it on now, which will be useful for testing and flushing out what we need to change in TripleO as well as the upstream services. Change-Id: I13262a4f1a6e850d66b2c687e730e0c2004c1f29
This commit is contained in:
parent
8e56ceb957
commit
57a8efd407
@ -391,6 +391,17 @@ parameters:
|
|||||||
default: ''
|
default: ''
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
EnforceSecureRbac:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
description: >-
|
||||||
|
Setting this option to True will configure each OpenStack service to
|
||||||
|
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
||||||
|
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
||||||
|
of RBAC personas across OpenStack services that include support for
|
||||||
|
system and project scope, as well as keystone's default roles, admin,
|
||||||
|
member, and reader. Do not enable this functionality until all services in
|
||||||
|
your deployment actually support secure RBAC.
|
||||||
|
|
||||||
parameter_groups:
|
parameter_groups:
|
||||||
- label: deprecated
|
- label: deprecated
|
||||||
|
Loading…
Reference in New Issue
Block a user