Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-191

Adapt Operators to the new requirements for service_users

XMLWordPrintable

    • CVE-2023-2088-support
    • False
    • Hide

      None

      Show
      None
    • False
    • OSPRH-811Red Hat OpenStack 18.0 Greenfield Deployment
    • Committed
    • No Docs Impact
    • To Do
    • OSPRH-811 - Red Hat OpenStack 18.0 Greenfield Deployment
    • Committed
    • No impact
    • 100
    • 100% 100%
    • Release Note Not Required
    • 2024Q1
    • Compute
    • Approved

      https://bugs.launchpad.net/nova/+bug/2004555

      As part of resolving CVE-2023-2088 there are a number of deployment tool modifications that are required to close the CVE.

      This involves always generating the service_user config in Nova (and ideally in all services that support it)

      adapting the service user creation to apply the the service role to the service users e.g. nova, neutron ectra.

      enabling service_token role checking

      configuring multipath to verify the the roles on the service token and assert the service role is present.

      in the context of the CVE this epic applies to all service that interact with the cinder attachments API but in general these changes should be applied to all OpenStack service operators.

            smooney@redhat.com Sean Mooney
            smooney@redhat.com Sean Mooney
            James Parker James Parker
            rhos-dfg-compute
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: