Allow configuring secure RBAC in glance
Adding new parameter GlanceEnforceSecureRbac to support for project persona of secure RBAC. To make the secure RBAC work, 'oslo_policy/enforce_new_defaults' is also required to be enabled with 'enforce_secure_rbac' in glance. Depends-On: I1db7fa2694bc9a448a47e435cfd95264504086c6 Partially Implements: blueprint secure-rbac Change-Id: I312f9255adbaec270d4e3379e9f8c8fdf716c190
This commit is contained in:
parent
5670359777
commit
9193090b13
@ -193,6 +193,17 @@ parameters:
|
||||
description: >
|
||||
When using GlanceBackend 'file' and 'rbd' to enable or not sparse upload.
|
||||
type: boolean
|
||||
EnforceSecureRbac:
|
||||
type: boolean
|
||||
default: false
|
||||
description: >-
|
||||
Setting this option to True will configure each OpenStack service to
|
||||
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
||||
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
||||
of RBAC personas across OpenStack services that include support for
|
||||
system and project scope, as well as keystone's default roles, admin,
|
||||
member, and reader. Do not enable this functionality until all services in
|
||||
your deployment actually support secure RBAC.
|
||||
KeystoneRegion:
|
||||
type: string
|
||||
default: 'regionOne'
|
||||
@ -574,6 +585,10 @@ outputs:
|
||||
- if:
|
||||
- glance_workers_set
|
||||
- glance::api::workers: {get_param: GlanceWorkers}
|
||||
- if:
|
||||
- {get_param: EnforceSecureRbac}
|
||||
- glance::api::enforce_secure_rbac: true
|
||||
glance::policy::enforce_new_defaults: true
|
||||
- if:
|
||||
- cinder_backend_enabled
|
||||
- glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
The new parameter ``EnforceSecureRbac`` has been added to
|
||||
enforce authorization based on common RBAC personas.
|
||||
Currently in glance the support is only available for project-admin,
|
||||
project-member and project-reader personas and system personas
|
||||
will come in a later release.
|
Loading…
x
Reference in New Issue
Block a user