Merge "Allow configuring secure RBAC in placement" into stable/wallaby

2021-10-10 01:49:48 +00:00 · 2021-10-10 01:49:48 +00:00 · f556f24ad3
parent 317966a7b3 0cb5568769
commit f556f24ad3
1 changed files with 13 additions and 0 deletions
--- a/deployment/placement/placement-api-container-puppet.yaml
+++ b/deployment/placement/placement-api-container-puppet.yaml
@ -60,6 +60,17 @@ parameters:
    description: >
        Endpoint interface to be used for the placement API.
    default: 'internal'
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
  KeystoneRegion:
    type: string
    default: 'regionOne'
@ -153,6 +164,8 @@ outputs:
              - {get_param: PlacementDebug}
              - true
              - {get_param: Debug}
+            placement::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
+            placement::policy::enforce_scope: {get_param: EnforceSecureRbac}
            placement::wsgi::apache::api_port: '8778'
            placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
            # NOTE: bind IP is found in hiera replacing the network name with the local node IP