Add reno for cluster_user_trust option

Add release notes for the new configuration parameter
cluster_user_trust which was introduced in the fix
for CVE-2016-7404.

(cherry picked from commit 4d4e98157e)

Change-Id: Ia59bd3ec543f6e9b53ddb4c107d6a44d198eb9d7
Related-Bug: #1620536
This commit is contained in:
Spyros Trigazis 2017-03-28 11:58:10 +02:00
parent 9f6296e432
commit aaa94e1a28
1 changed files with 29 additions and 0 deletions

View File

@ -0,0 +1,29 @@
---
upgrade:
- |
To let clusters communicate directly with OpenStack service other than
Magnum, in the `trust` section of magnum.conf, set `cluster_user_trust` to
True. The default value is False.
security:
- |
Every magnum cluster is assigned a trustee user and a trustID. This user is
used to allow clusters communicate with the key-manager service (Barbican)
and get the certificate authority of the cluster. This trust user can be
used by other services too. It can be used to let the cluster authenticate
with other OpenStack services like the Block Storage service, Object
Storage service, Load Balancing etc. The cluster with this user and the
trustID has full access to the trustor's OpenStack project. A new
configuration parameter has been added to restrict the access to other
services than Magnum.
fixes:
- |
Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have
to be re-created to benefit from this fix. Part of this fix is the newly
introduced setting `cluster_user_trust` in the `trust` section of
magnum.conf. This setting defaults to False. `cluster_user_trust` dictates
whether to allow passing a trust ID into a cluster's instances. For most
clusters this capability is not needed. Clusters with
`registry_enabled=True` or `volume_driver=rexray` will need this
capability. Other features that require this capability may be introduced
in the future. To be able to create such clusters you will need to set
`cluster_user_trust` to True.