From ddadaa282e72cc437470859766ac963ac757a26a Mon Sep 17 00:00:00 2001 From: Sean Mooney Date: Wed, 10 May 2023 20:58:47 +0100 Subject: [PATCH] always add service_user section to nova.conf As of I3629b84d3255a8fe9d8a7cea8c6131d7c40899e8 nova now requires the service_user section to be configured to address CVE-2023-2088. This change adds the service user section to the nova.conf template in the nova and nova-cell roles. Related-Bug: #2004555 Signed-off-by: Sven Kieske Change-Id: I2189dafca070accfd8efcd4b8cc4221c6decdc9f (cherry picked from commit a77ea13ef1991543df29b7eea14b1f91ef26f858) (cherry picked from commit 03c12abbcc107bfec451f4558bc97d14facae01c) (cherry picked from commit cb105dc293ff1cdb11ab63fa3e3bf39fd17e0ee0) (cherry picked from commit efe6650d09441b02cf93738a94a59723d84c5b19) --- ansible/roles/cinder/templates/cinder.conf.j2 | 5 +++++ ansible/roles/nova-cell/templates/nova.conf.j2 | 13 +++++++++++++ ansible/roles/nova/templates/nova.conf.j2 | 13 +++++++++++++ .../notes/cve-2023-2088-51e7e050be2139bf.yaml | 9 +++++++++ 4 files changed, 40 insertions(+) create mode 100644 releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index a7ebf2c099..ec697829aa 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -103,6 +103,11 @@ max_retries = -1 [keystone_authtoken] service_type = volume +# security fix, always validate service tokens +# see: https://security.openstack.org/ossa/OSSA-2023-003.html +# and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting +service_token_roles_required = true +service_token_roles = admin www_authenticate_uri = {{ keystone_internal_url }} auth_url = {{ keystone_internal_url }} auth_type = password diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2 index 6fbf05499a..c78f483dc3 100644 --- a/ansible/roles/nova-cell/templates/nova.conf.j2 +++ b/ansible/roles/nova-cell/templates/nova.conf.j2 @@ -258,3 +258,16 @@ track_instance_changes = false [pci] passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }} {% endif %} + +[service_user] +send_service_user_token = true +auth_url = {{ keystone_internal_url }} +auth_type = password +project_domain_id = {{ default_project_domain_id }} +user_domain_id = {{ default_user_domain_id }} +project_name = service +username = {{ nova_keystone_user }} +password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert }} +region_name = {{ openstack_region_name }} +valid_interfaces = internal diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index 06a635e960..49646f8826 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -204,3 +204,16 @@ auth_endpoint = {{ keystone_internal_url }} barbican_endpoint_type = internal verify_ssl_path = {{ openstack_cacert }} {% endif %} + +[service_user] +send_service_user_token = true +auth_url = {{ keystone_internal_url }} +auth_type = password +project_domain_id = {{ default_project_domain_id }} +user_domain_id = {{ default_user_domain_id }} +project_name = service +username = {{ nova_keystone_user }} +password = {{ nova_keystone_password }} +cafile = {{ openstack_cacert }} +region_name = {{ openstack_region_name }} +valid_interfaces = internal diff --git a/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml b/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml new file mode 100644 index 0000000000..072da3a795 --- /dev/null +++ b/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Configuration of service user tokens for all Nova and Cinder services + is now done automatically, to ensure security of block-storage volume + data. + + See `LP#[2004555] `__ for + more details.