Allow neutron to configure secure RBAC options

This updates the neutron api container to set the appropriate configuration options when EnforceSecureRbac is True. This will be needed when more OpenStack services support system-scope and deployers want to enable those personas. Change-Id: I6dc238c2b59c5c1d89d54a2dd1fbf7cef0d16313
2021-08-30 09:57:00 +02:00 · 2021-08-30 09:57:00 +02:00 · 8e28fde39c
commit 8e28fde39c
parent 61cef90379
2 changed files with 23 additions and 0 deletions
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -209,6 +209,17 @@ parameters:
    description: The password for the Ironic service and db account, used by the Ironic services
    type: string
    hidden: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.

 parameter_groups:
 - label: deprecated
@ -319,6 +330,10 @@ outputs:
                    - read_default_file: /etc/my.cnf.d/tripleo.cnf
                      read_default_group: tripleo
            neutron::policy::policies: {get_param: NeutronApiPolicies}
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - neutron::policy::enforce_scope: true
+              neutron::policy::enforce_new_defaults: true
            neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
            neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
            neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}
--- a/releasenotes/notes/enable-secure-rbac-for-neutron-842bd41339a48f26.yaml
+++ b/releasenotes/notes/enable-secure-rbac-for-neutron-842bd41339a48f26.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Neutron can now be configured to support secure RBAC using
+    `EnforceSecureRbac`. Note, you may not be able to use this until Neutron
+    upstream has support for common RBAC `personas
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_.
+