Merge "Allow configuring secure RBAC in placement" into stable/wallaby
This commit is contained in:
commit
f556f24ad3
|
@ -60,6 +60,17 @@ parameters:
|
|||
description: >
|
||||
Endpoint interface to be used for the placement API.
|
||||
default: 'internal'
|
||||
EnforceSecureRbac:
|
||||
type: boolean
|
||||
default: false
|
||||
description: >-
|
||||
Setting this option to True will configure each OpenStack service to
|
||||
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
|
||||
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
|
||||
of RBAC personas across OpenStack services that include support for
|
||||
system and project scope, as well as keystone's default roles, admin,
|
||||
member, and reader. Do not enable this functionality until all services in
|
||||
your deployment actually support secure RBAC.
|
||||
KeystoneRegion:
|
||||
type: string
|
||||
default: 'regionOne'
|
||||
|
@ -153,6 +164,8 @@ outputs:
|
|||
- {get_param: PlacementDebug}
|
||||
- true
|
||||
- {get_param: Debug}
|
||||
placement::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
|
||||
placement::policy::enforce_scope: {get_param: EnforceSecureRbac}
|
||||
placement::wsgi::apache::api_port: '8778'
|
||||
placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
|
|
Loading…
Reference in New Issue