kolla-ansible

Magnum "enable_cluster_user_trust" documentation

Bug #1842449 reported by Joseph M on 2019-09-03

This bug affects 3 people

	Status	Importance	Assigned to
kolla-ansible	Triaged	Medium	Unassigned
Stein	Triaged	Medium	Unassigned
Train	Triaged	Medium	Unassigned

Bug Description

Operating system distribution and version: CentOS Linux release 7.6.1810
Kolla-Ansible package version: kolla-ansible 8.0.1.dev77
install_type (source/binary) and distribution from /etc/kolla/globals.yml: centos source stein
Are you using official images from Docker Hub or self built? Official

enable_cluster_user_trust defaults to "false" for security reasons as setting it to "true" enables Magnum clusters to make API calls that change the owning project. Unfortunately these API calls are what make Magnum-created clusters so useful, they enable mounting Cinder volumes and creating Octavia load balancers among other things.

It has been determined by the PTL (mgoddard) in IRC that the default value of "false" should not be changed due to the aforementioned security issues. We need to document this default configurations lack of functionality in the projects documentation. It may also benefit to add a variable that controls this to globals.yml with a brief note on its implications.

Mark Goddard (mgoddard) on 2019-09-12

Changed in kolla-ansible:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Mark Goddard (mgoddard) wrote on 2019-09-13:

Related patch pushed to magnum: https://review.opendev.org/#/c/681922

Revision history for this message

Mark Goddard (mgoddard) wrote on 2019-09-20:

The above fix has been merged to master in magnum.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.