diff options
authorSpyros Trigazis <>2017-03-28 11:58:10 +0200
committerSpyros Trigazis <>2017-03-29 15:18:26 +0000
commitaaa94e1a28ed95b9343abed6488378b8522f1ec2 (patch)
parent9f6296e43220a7910b0547c6ac42cc5a6ae5b20c (diff)
Add reno for cluster_user_trust option
Add release notes for the new configuration parameter cluster_user_trust which was introduced in the fix for CVE-2016-7404. (cherry picked from commit 4d4e98157ecf9b880ef409f2256eca2d0466f40b) Change-Id: Ia59bd3ec543f6e9b53ddb4c107d6a44d198eb9d7 Related-Bug: #1620536
Notes (review): Code-Review+1: Vijendar Komalla <> Code-Review+2: yatin <> Code-Review+2: Madhuri Kumari <> Workflow+1: Madhuri Kumari <> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Thu, 30 Mar 2017 11:50:27 +0000 Reviewed-on: Project: openstack/magnum Branch: refs/heads/stable/ocata
1 files changed, 29 insertions, 0 deletions
diff --git a/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml b/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml
new file mode 100644
index 0000000..2edb410
--- /dev/null
+++ b/releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml
@@ -0,0 +1,29 @@
3 - |
4 To let clusters communicate directly with OpenStack service other than
5 Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
6 True. The default value is False.
8 - |
9 Every magnum cluster is assigned a trustee user and a trustID. This user is
10 used to allow clusters communicate with the key-manager service (Barbican)
11 and get the certificate authority of the cluster. This trust user can be
12 used by other services too. It can be used to let the cluster authenticate
13 with other OpenStack services like the Block Storage service, Object
14 Storage service, Load Balancing etc. The cluster with this user and the
15 trustID has full access to the trustor's OpenStack project. A new
16 configuration parameter has been added to restrict the access to other
17 services than Magnum.
19 - |
20 Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
21 to be re-created to benefit from this fix. Part of this fix is the newly
22 introduced setting `cluster_user_trust` in the `trust` section of
23 magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
24 whether to allow passing a trust ID into a cluster's instances. For most
25 clusters this capability is not needed. Clusters with
26 `registry_enabled=True` or `volume_driver=rexray` will need this
27 capability. Other features that require this capability may be introduced
28 in the future. To be able to create such clusters you will need to set
29 `cluster_user_trust` to True.