Allow keystone to configure secure RBAC options
This updates the keystone api container to set the appropriate configuration options when EnforceSecureRbac is True. This will be needed when more OpenStack services support system-scope and deployers want to enable those personas. Change-Id: I7ed3ace9d9fea56b800685bb890ccbb0530e36a9
This commit is contained in:
parent
894bd5b8c9
commit
b49da72366
|
@ -626,6 +626,10 @@ outputs:
|
|||
keystone::using_domain_config: True
|
||||
tripleo::profile::base::keystone::ldap_backends_config:
|
||||
get_param: KeystoneLDAPBackendConfigs
|
||||
- if:
|
||||
- {get_param: EnforceSecureRbac}
|
||||
- keystone::policy::enforce_scope: true
|
||||
keystone::policy::enforce_new_defaults: true
|
||||
- if:
|
||||
- change_password_upon_first_use_set
|
||||
- keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Keystone can now be configured to support secure RBAC `personas
|
||||
<https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_
|
||||
with the `EnforceSecureRbac` setting. Note that deployments with mixed permission
|
||||
models will have unexpected side-effects. Setting this option won't have
|
||||
meaningful effect until all services in your deployment support secure RBAC
|
||||
personas.
|
Loading…
Reference in New Issue