OpenStack Magnum Charm

add cluster_user_trust option in magnum.conf

Bug #1996237 reported by Narinder Gupta
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Charm Guide
Fix Released
Undecided
Felipe Reyes
OpenStack Magnum Charm
Fix Committed
High
Felipe Reyes
2023.1
Fix Committed
Undecided
Unassigned
Ussuri
Fix Committed
Undecided
Unassigned
Victoria
Fix Committed
Undecided
Unassigned
Wallaby
Fix Committed
Undecided
Unassigned
Xena
Fix Committed
Undecided
Unassigned
Yoga
Fix Committed
Undecided
Unassigned
Zed
Fix Committed
Undecided
Unassigned

Bug Description

TCS want to add cloud provider into the magnum defined cluster using the label cloud_provider_enabled=true so that native load balancer can be created. As per upstream documentation https://docs.openstack.org/magnum/latest/user/ this label overrides the value by cluster_user_trust in magnum.conf which is false by default.

To have cloud_provider_enabled working we need to make cluster_user_trust = true under trust secotion of the conf file. This request is to provide the configuraition option in magnum.conf fie so that cloud_provider_enabled label can be implemented.

CVE References

Billy Olsen (billy-olsen)
Changed in charm-magnum:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Billy Olsen (billy-olsen) wrote :

I have triaged this as on the surface its as simple as enabling a configuration option. However, it should be noted that there are additional considerations for this and the configuration does present the potential of secrets leaking per the documentation (CVE-2016-7404). Thus, it should be clearly spelled out the consequences of enabling such an options.

Felipe Reyes (freyes)
Changed in charm-magnum:
importance: Wishlist → High
assignee: nobody → Felipe Reyes (freyes)
Changed in charm-guide:
assignee: nobody → Felipe Reyes (freyes)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894217

Changed in charm-magnum:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-guide (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-guide/+/894218

Changed in charm-guide:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on charm-magnum (master)

Change abandoned by "Felipe Reyes <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894217
Reason: in favor of https://review.opendev.org/c/openstack/charm-magnum/+/824170

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (master)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/824170
Committed: https://opendev.org/openstack/charm-magnum/commit/29260ddf8ae040e6319732a21ece4cca96196a5f
Submitter: "Zuul (22348)"
Branch: master

commit 29260ddf8ae040e6319732a21ece4cca96196a5f
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3

Changed in charm-magnum:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894271

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894273

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894274

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894275

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894276

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894277

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-magnum (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/charm-magnum/+/894279

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-guide (master)

Reviewed: https://review.opendev.org/c/openstack/charm-guide/+/894218
Committed: https://opendev.org/openstack/charm-guide/commit/9da7e7d869f1d8e73c8dbf4ac4f571b970852e59
Submitter: "Zuul (22348)"
Branch: master

commit 9da7e7d869f1d8e73c8dbf4ac4f571b970852e59
Author: Felipe Reyes <email address hidden>
Date: Thu Sep 7 15:08:40 2023 -0300

    magnum charm: new option to expose cluster_user_trust

    Closes-Bug: #1996237
    Depends-On: https://review.opendev.org/c/openstack/charm-magnum/+/824170
    Change-Id: I2891440f4c3e64c483ac68a66418a762ca80d9e2

Changed in charm-guide:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894271
Committed: https://opendev.org/openstack/charm-magnum/commit/d8aa7374a9b78681cb17a963d5161057f7100db2
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit d8aa7374a9b78681cb17a963d5161057f7100db2
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894273
Committed: https://opendev.org/openstack/charm-magnum/commit/38000d0756e31b48367c660a799a3340b26ebaaf
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 38000d0756e31b48367c660a799a3340b26ebaaf
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894274
Committed: https://opendev.org/openstack/charm-magnum/commit/b68373ab68dece63be5769432078e8473f18d21a
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit b68373ab68dece63be5769432078e8473f18d21a
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894275
Committed: https://opendev.org/openstack/charm-magnum/commit/515d883d5227a5f277463a7a53b016b96b76f82e
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 515d883d5227a5f277463a7a53b016b96b76f82e
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894276
Committed: https://opendev.org/openstack/charm-magnum/commit/3e8a17c54763e30980b25416f0b2cca47e193a0f
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 3e8a17c54763e30980b25416f0b2cca47e193a0f
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894277
Committed: https://opendev.org/openstack/charm-magnum/commit/42260c7ca715203c1ffb89d1e057d01d9aa6d74f
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 42260c7ca715203c1ffb89d1e057d01d9aa6d74f
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-magnum (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/charm-magnum/+/894279
Committed: https://opendev.org/openstack/charm-magnum/commit/88a7d39cf24bcde7b2513662cfc614a2fa3401da
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 88a7d39cf24bcde7b2513662cfc614a2fa3401da
Author: Jesper Schmitz Mouridsen <email address hidden>
Date: Thu Sep 7 14:54:00 2023 -0300

    Add cluster-user-trust config option

    Clusters created with the option cloud_provider_enabled or
    registry_enabled set to true, or volumer_driver set to 'cinder' need
    this flag set to True as well to instruct Magnum to assign trust to the
    cluster user.

    This option defaults to False due to security concerns (see
    https://bugs.launchpad.net/bugs/cve/2016-7404 )

    [0] https://docs.openstack.org/magnum/latest/user/index.html#cloud-provider-enabled

    Closes-Bug: #1996237
    Change-Id: I393030fa0da244ba5928482c8ef4e75e53f1a7b3
    (cherry picked from commit 29260ddf8ae040e6319732a21ece4cca96196a5f)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.