always add service_user section to nova.conf

As of I3629b84d3255a8fe9d8a7cea8c6131d7c40899e8 nova
now requires the service_user section to be configured
to address CVE-2023-2088. This change adds
the service user section to the nova.conf template in
the nova and nova-cell roles.

Related-Bug: #2004555
Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I2189dafca070accfd8efcd4b8cc4221c6decdc9f
(cherry picked from commit a77ea13ef1)
(cherry picked from commit 03c12abbcc)
(cherry picked from commit cb105dc293)
(cherry picked from commit efe6650d09)
This commit is contained in:
Sean Mooney 2023-05-10 20:58:47 +01:00 committed by Michal Nasiadka
parent be1ca8a910
commit ddadaa282e
4 changed files with 40 additions and 0 deletions

View File

@ -103,6 +103,11 @@ max_retries = -1
[keystone_authtoken] [keystone_authtoken]
service_type = volume service_type = volume
# security fix, always validate service tokens
# see: https://security.openstack.org/ossa/OSSA-2023-003.html
# and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
service_token_roles_required = true
service_token_roles = admin
www_authenticate_uri = {{ keystone_internal_url }} www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }} auth_url = {{ keystone_internal_url }}
auth_type = password auth_type = password

View File

@ -258,3 +258,16 @@ track_instance_changes = false
[pci] [pci]
passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }} passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }}
{% endif %} {% endif %}
[service_user]
send_service_user_token = true
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ nova_keystone_user }}
password = {{ nova_keystone_password }}
cafile = {{ openstack_cacert }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal

View File

@ -204,3 +204,16 @@ auth_endpoint = {{ keystone_internal_url }}
barbican_endpoint_type = internal barbican_endpoint_type = internal
verify_ssl_path = {{ openstack_cacert }} verify_ssl_path = {{ openstack_cacert }}
{% endif %} {% endif %}
[service_user]
send_service_user_token = true
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}
project_name = service
username = {{ nova_keystone_user }}
password = {{ nova_keystone_password }}
cafile = {{ openstack_cacert }}
region_name = {{ openstack_region_name }}
valid_interfaces = internal

View File

@ -0,0 +1,9 @@
---
fixes:
- |
Configuration of service user tokens for all Nova and Cinder services
is now done automatically, to ensure security of block-storage volume
data.
See `LP#[2004555] <https://bugs.launchpad.net/nova/+bug/2004555>`__ for
more details.