From 68db3d3bebe7861895793f059c68a414b06a9d99 Mon Sep 17 00:00:00 2001 From: David Vallee Delisle Date: Wed, 11 Aug 2021 10:38:42 -0400 Subject: [PATCH] Allow configuring secure RBAC in nova Adding new parameter EnforceSecureRbac to support for project persona of secure RBAC in nova-api. To make the secure RBAC work, 'oslo_policy/enforce_new_defaults' and 'oslo_policy/enforce_scope' are also required to be enabled with 'enforce_secure_rbac' in nova. Partially Implements: blueprint secure-rbac Change-Id: Ie03e3e7855563331774a85cef6cc36e414e0a260 --- deployment/nova/nova-api-container-puppet.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 840d2e3e9d..ebf814d764 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -59,6 +59,17 @@ parameters: default: 0 description: Number of workers for Nova services. type: number + EnforceSecureRbac: + type: boolean + default: false + description: >- + Setting this option to True will configure each OpenStack service to + enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and + `[oslo_policy] enforce_scope` to True. This introduces a consistent set + of RBAC personas across OpenStack services that include support for + system and project scope, as well as keystone's default roles, admin, + member, and reader. Do not enable this functionality until all services in + your deployment actually support secure RBAC. KeystoneRegion: type: string default: 'regionOne' @@ -403,6 +414,8 @@ outputs: nova::cron::archive_deleted_rows::all_cells: {get_param: NovaCronArchiveDeleteAllCells} nova::cron::archive_deleted_rows::age: {get_param: NovaCronArchiveDeleteRowsAge} nova::cron::archive_deleted_rows::task_log: {get_param: NovaCronArchiveDeleteRowsTaskLog} + nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac} + nova::policy::enforce_scope: {get_param: EnforceSecureRbac} - if: - nova_workers_set - nova::api::osapi_compute_workers: {get_param: NovaWorkers}