always add service_user section to nova.conf
As of I3629b84d3255a8fe9d8a7cea8c6131d7c40899e8 nova now requires the service_user section to be configured to address CVE-2023-2088. This change adds the service user section to the nova.conf template in the nova and nova-cell roles. Related-Bug: #2004555 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I2189dafca070accfd8efcd4b8cc4221c6decdc9f (cherry picked from commita77ea13ef1
) (cherry picked from commit03c12abbcc
) (cherry picked from commitcb105dc293
) (cherry picked from commitefe6650d09
)
This commit is contained in:
parent
be1ca8a910
commit
ddadaa282e
@ -103,6 +103,11 @@ max_retries = -1
|
|||||||
|
|
||||||
[keystone_authtoken]
|
[keystone_authtoken]
|
||||||
service_type = volume
|
service_type = volume
|
||||||
|
# security fix, always validate service tokens
|
||||||
|
# see: https://security.openstack.org/ossa/OSSA-2023-003.html
|
||||||
|
# and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
|
||||||
|
service_token_roles_required = true
|
||||||
|
service_token_roles = admin
|
||||||
www_authenticate_uri = {{ keystone_internal_url }}
|
www_authenticate_uri = {{ keystone_internal_url }}
|
||||||
auth_url = {{ keystone_internal_url }}
|
auth_url = {{ keystone_internal_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
|
@ -258,3 +258,16 @@ track_instance_changes = false
|
|||||||
[pci]
|
[pci]
|
||||||
passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }}
|
passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
[service_user]
|
||||||
|
send_service_user_token = true
|
||||||
|
auth_url = {{ keystone_internal_url }}
|
||||||
|
auth_type = password
|
||||||
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
|
user_domain_id = {{ default_user_domain_id }}
|
||||||
|
project_name = service
|
||||||
|
username = {{ nova_keystone_user }}
|
||||||
|
password = {{ nova_keystone_password }}
|
||||||
|
cafile = {{ openstack_cacert }}
|
||||||
|
region_name = {{ openstack_region_name }}
|
||||||
|
valid_interfaces = internal
|
||||||
|
@ -204,3 +204,16 @@ auth_endpoint = {{ keystone_internal_url }}
|
|||||||
barbican_endpoint_type = internal
|
barbican_endpoint_type = internal
|
||||||
verify_ssl_path = {{ openstack_cacert }}
|
verify_ssl_path = {{ openstack_cacert }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
[service_user]
|
||||||
|
send_service_user_token = true
|
||||||
|
auth_url = {{ keystone_internal_url }}
|
||||||
|
auth_type = password
|
||||||
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
|
user_domain_id = {{ default_user_domain_id }}
|
||||||
|
project_name = service
|
||||||
|
username = {{ nova_keystone_user }}
|
||||||
|
password = {{ nova_keystone_password }}
|
||||||
|
cafile = {{ openstack_cacert }}
|
||||||
|
region_name = {{ openstack_region_name }}
|
||||||
|
valid_interfaces = internal
|
||||||
|
9
releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml
Normal file
9
releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Configuration of service user tokens for all Nova and Cinder services
|
||||||
|
is now done automatically, to ensure security of block-storage volume
|
||||||
|
data.
|
||||||
|
|
||||||
|
See `LP#[2004555] <https://bugs.launchpad.net/nova/+bug/2004555>`__ for
|
||||||
|
more details.
|
Loading…
Reference in New Issue
Block a user