Merge "Add a configuration option to enable secure RBAC in Heat"
This commit is contained in:
commit
975d603399
|
@ -144,6 +144,17 @@ parameters:
|
|||
description: |
|
||||
Use the advanced (eventlet safe) memcached client pool.
|
||||
default: true
|
||||
EnforceSecureRbac:
|
||||
type: boolean
|
||||
default: false
|
||||
description: >-
|
||||
Setting this option to True will configure each OpenStack service to
|
||||
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
||||
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
||||
of RBAC personas across OpenStack services that include support for
|
||||
system and project scope, as well as keystone's default roles, admin,
|
||||
member, and reader. Do not enable this functionality until all services in
|
||||
your deployment actually support secure RBAC.
|
||||
|
||||
conditions:
|
||||
tls_cache_enabled:
|
||||
|
@ -160,6 +171,10 @@ outputs:
|
|||
service_name: heat_base
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- {get_param: EnforceSecureRbac}
|
||||
- heat::policy::enforce_scope: true
|
||||
heat::policy::enforce_new_defaults: true
|
||||
- if:
|
||||
- cors_allowed_origin_set
|
||||
- heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}
|
||||
|
|
Loading…
Reference in New Issue