Allow keystone to configure secure RBAC options

This updates the keystone api container to set the appropriate configuration options when EnforceSecureRbac is True. This will be needed when more OpenStack services support system-scope and deployers want to enable those personas. Change-Id: I7ed3ace9d9fea56b800685bb890ccbb0530e36a9
2021-08-11 14:48:56 +00:00 · 2021-08-11 14:48:56 +00:00 · b49da72366
parent 894bd5b8c9
commit b49da72366
2 changed files with 13 additions and 0 deletions
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@ -626,6 +626,10 @@ outputs:
              keystone::using_domain_config: True
              tripleo::profile::base::keystone::ldap_backends_config:
                get_param: KeystoneLDAPBackendConfigs
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - keystone::policy::enforce_scope: true
+              keystone::policy::enforce_new_defaults: true
          - if:
            - change_password_upon_first_use_set
            - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
--- a/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml
+++ b/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Keystone can now be configured to support secure RBAC `personas
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_
+    with the `EnforceSecureRbac` setting. Note that deployments with mixed permission
+    models will have unexpected side-effects. Setting this option won't have
+    meaningful effect until all services in your deployment support secure RBAC
+    personas.