Add reno for cluster_user_trust option
Add release notes for the new configuration parameter cluster_user_trust which was introduced in the fix for CVE-2016-7404. Change-Id: Iae14491471254e5f4b6d766290d44762043ee259 Related-Bug: #1620536
This commit is contained in:
parent
bb16a62732
commit
4d4e98157e
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
To let clusters communicate directly with OpenStack service other than
|
||||
Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust`
|
||||
to True. The default value is False.
|
||||
security:
|
||||
- |
|
||||
Every magnum cluster has assigned to a trustee user and a trustID. This
|
||||
user is used to allow clusters communicate with the key-manager service
|
||||
(Barbican) and get the certificate authority of the cluster. This trust
|
||||
user can be used by other services too. It can be used, to let the cluster
|
||||
authenticate with other OpenStack services like the Block Storage service,
|
||||
Object Storage service, Load Balancing etc. The cluster with this user and
|
||||
the trustID has full access to the trustor's OpenStack project. A new
|
||||
configuration parameter has been added to restict the access to other
|
||||
services than Magnum.
|
||||
fixes:
|
||||
- |
|
||||
Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
|
||||
to be recreated to benefit from this fix. Part of this fix is the newly
|
||||
introduced setting `cluster_user_trust` in the `trust` section of
|
||||
magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
|
||||
whether to allow passing a trust ID into a cluster's instances. For most
|
||||
clusters this is capability is not needed. Clusters with
|
||||
`registry_enabled=True` or `volume_driver=rexray` will need this
|
||||
capability. Other features that require this capability may be introduced in
|
||||
the future. To be able to create such clusters you will need to set
|
||||
`cluster_user_trust` to True.
|
Loading…
Reference in New Issue