From 6197bfa6c86850912532cf6320027e3989709171 Mon Sep 17 00:00:00 2001
From: Sean Mooney <work@seanmooney.info>
Date: Fri, 15 Sep 2023 14:23:01 +0100
Subject: [PATCH] enable service token role validation for all service tokens

As part of adressing CVE-2023-2088 cinder was modifed to
require the service role to be present in service token when
calling the attachemtn api to modify attachments related to nova
instance. One recomendation of that CVE mitigration discussions
was that all services shoudl enabel the service token role validation
by default. This change simplely enabled that by setting
[keystone_authtoken]/service_token_roles_required = true

Related: OSPRH191
---
 templates/cinderapi/config/01-service-defaults.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/templates/cinderapi/config/01-service-defaults.conf b/templates/cinderapi/config/01-service-defaults.conf
index e67156c5..b340dbcd 100644
--- a/templates/cinderapi/config/01-service-defaults.conf
+++ b/templates/cinderapi/config/01-service-defaults.conf
@@ -1,2 +1,9 @@
 [DEFAULT]
 log_file = {{ .LogFile }}
+
+[keystone_authtoken]
+# This is part of hardening related to CVE-2023-2088
+# when enabled the service token user must have the service role to be considered valid.
+# cinder already checks for this, explicitly in the case of the attchment API even when
+# this is not enforced for all service token validation.
+service_token_roles_required = true
\ No newline at end of file