Merge "Add a configuration option to enable secure RBAC in Heat"

2021-12-06 21:23:06 +00:00 · 2021-12-06 21:23:06 +00:00 · 975d603399
parent b3e8e218f8 613dd92d87
commit 975d603399
1 changed files with 15 additions and 0 deletions
--- a/deployment/heat/heat-base-puppet.yaml
+++ b/deployment/heat/heat-base-puppet.yaml
@ -144,6 +144,17 @@ parameters:
    description: |
      Use the advanced (eventlet safe) memcached client pool.
    default: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.

 conditions:
  tls_cache_enabled:
@ -160,6 +171,10 @@ outputs:
      service_name: heat_base
      config_settings:
        map_merge:
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - heat::policy::enforce_scope: true
+              heat::policy::enforce_new_defaults: true
          - if:
            - cors_allowed_origin_set
            - heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}