Skip to content

Commit

Permalink
Merge pull request #346 from dmendiza/enable-secure-rbac
Browse files Browse the repository at this point in the history
Enable Secure RBAC by default
  • Loading branch information
openshift-merge-bot[bot] authored Feb 19, 2024
2 parents 9bbb46c + 13db6de commit 70a29a0
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 0 deletions.
5 changes: 5 additions & 0 deletions api/bases/keystone.openstack.org_keystoneapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,11 @@ spec:
files. Those get added to the service config dir in /etc/<service>
. TODO: -> implement'
type: object
enableSecureRBAC:
default: true
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
policies
type: boolean
memcachedInstance:
default: memcached
description: Memcached instance name.
Expand Down
5 changes: 5 additions & 0 deletions api/v1beta1/keystoneapi_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,11 @@ type KeystoneAPISpec struct {
// Secret containing OpenStack password information for keystone KeystoneDatabasePassword, AdminPassword
Secret string `json:"secret"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=true
// EnableSecureRBAC - Enable Consistent and Secure RBAC policies
EnableSecureRBAC bool `json:"enableSecureRBAC"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=""
// TrustFlushArgs - Arguments added to keystone-manage trust_flush command
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/keystone.openstack.org_keystoneapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,11 @@ spec:
files. Those get added to the service config dir in /etc/<service>
. TODO: -> implement'
type: object
enableSecureRBAC:
default: true
description: EnableSecureRBAC - Enable Consistent and Secure RBAC
policies
type: boolean
memcachedInstance:
default: memcached
description: Memcached instance name.
Expand Down
1 change: 1 addition & 0 deletions controllers/keystoneapi_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1198,6 +1198,7 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps(
instance.Status.DatabaseHostname,
keystone.DatabaseName,
),
"enableSecureRBAC": instance.Spec.EnableSecureRBAC,
}

// create httpd vhost template parameters
Expand Down
4 changes: 4 additions & 0 deletions templates/keystoneapi/config/keystone.conf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ max_retries=-1
db_max_retries=-1
connection={{ .DatabaseConnection }}

[oslo_policy]
enforce_new_defaults = {{ .enableSecureRBAC }}
enforce_scope = {{ .enableSecureRBAC }}

[fernet_tokens]
key_repository=/etc/keystone/fernet-keys
max_active_keys=2
Expand Down

0 comments on commit 70a29a0

Please sign in to comment.