Add reno for cluster_user_trust option

Add release notes for the new configuration parameter
cluster_user_trust which was introduced in the fix
for CVE-2016-7404.

Change-Id: Iae14491471254e5f4b6d766290d44762043ee259
Related-Bug: #1620536

releasenotes/notes/CVE-2016-7404-f53e62a4a40e4d30.yaml

@@ -0,0 +1,29 @@
+---
+upgrade:
+  - |
+    To let clusters communicate directly with OpenStack service other than
+    Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust`
+    to True. The default value is False.
+security:
+  - |
+    Every magnum cluster has assigned to a trustee user and a trustID. This
+    user is used to allow clusters communicate with the key-manager service
+    (Barbican) and get the certificate authority of the cluster. This trust
+    user can be used by other services too. It can be used, to let the cluster
+    authenticate with other OpenStack services like the Block Storage service,
+    Object Storage service, Load Balancing etc. The cluster with this user and
+    the trustID has full access to the trustor's OpenStack project. A new
+    configuration parameter has been added to restict the access to other
+    services than Magnum.
+fixes:
+  - |
+    Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
+    to be recreated to benefit from this fix. Part of this fix is the newly
+    introduced setting `cluster_user_trust` in the `trust` section of
+    magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
+    whether to allow passing a trust ID into a cluster's instances. For most
+    clusters this is capability is not needed. Clusters with
+    `registry_enabled=True` or `volume_driver=rexray` will need this
+    capability. Other features that require this capability may be introduced in
+    the future. To be able to create such clusters you will need to set
+    `cluster_user_trust` to True.