Merge "Allow neutron to configure secure RBAC options"
This commit is contained in:
commit
a89b2ca259
@ -209,6 +209,17 @@ parameters:
|
||||
description: The password for the Ironic service and db account, used by the Ironic services
|
||||
type: string
|
||||
hidden: true
|
||||
EnforceSecureRbac:
|
||||
type: boolean
|
||||
default: false
|
||||
description: >-
|
||||
Setting this option to True will configure each OpenStack service to
|
||||
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
||||
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
||||
of RBAC personas across OpenStack services that include support for
|
||||
system and project scope, as well as keystone's default roles, admin,
|
||||
member, and reader. Do not enable this functionality until all services in
|
||||
your deployment actually support secure RBAC.
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
@ -319,6 +330,10 @@ outputs:
|
||||
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
neutron::policy::policies: {get_param: NeutronApiPolicies}
|
||||
- if:
|
||||
- {get_param: EnforceSecureRbac}
|
||||
- neutron::policy::enforce_scope: true
|
||||
neutron::policy::enforce_new_defaults: true
|
||||
neutron::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
||||
neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
neutron::server::agent_down_time: {get_param: NeutronAgentDownTime}
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Neutron can now be configured to support secure RBAC using
|
||||
`EnforceSecureRbac`. Note, you may not be able to use this until Neutron
|
||||
upstream has support for common RBAC `personas
|
||||
<https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_.
|
||||
|
Loading…
Reference in New Issue
Block a user