enable service token role validation for all service tokens #266
Conversation
As part of adressing CVE-2023-2088 cinder was modifed to require the service role to be present in service token when calling the attachemtn api to modify attachments related to nova instance. One recomendation of that CVE mitigration discussions was that all services shoudl enabel the service token role validation by default. This change simplely enabled that by setting [keystone_authtoken]/service_token_roles_required = true Related: OSPRH191
|
@SeanMooney: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| # when enabled the service token user must have the service role to be considered valid. | ||
| # cinder already checks for this, explicitly in the case of the attchment API even when | ||
| # this is not enforced for all service token validation. | ||
| service_token_roles_required = true |
There was a problem hiding this comment.
Looks like this needs a newline.
There was a problem hiding this comment.
i guess i did not activate the venv when committing. i have precommet but it only runs if i have the venv activated
ill respin this shortly
There was a problem hiding this comment.
We already added this in PR#257 and it can be seen here (without the CVE related comment):
If I remember correctly the cinder CVE code doesn't really need that option, it has an additional internal check so it wouldn't have to depend on this config option. I enabled this option in my PR anyway because I like the keystone middleware being the one that gives the error..
There was a problem hiding this comment.
oh cool in that case ill abandon this pr
| # when enabled the service token user must have the service role to be considered valid. | ||
| # cinder already checks for this, explicitly in the case of the attchment API even when | ||
| # this is not enforced for all service token validation. | ||
| service_token_roles_required = true |
There was a problem hiding this comment.
We already added this in PR#257 and it can be seen here (without the CVE related comment):
If I remember correctly the cinder CVE code doesn't really need that option, it has an additional internal check so it wouldn't have to depend on this config option. I enabled this option in my PR anyway because I like the keystone middleware being the one that gives the error..
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: SeanMooney The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
fixed by #257 |
…rators/renovate/openstack-k8s-operators Update openstack-k8s-operators
As part of adressing CVE-2023-2088 cinder was modifed to
require the service role to be present in service token when
calling the attachemtn api to modify attachments related to nova
instance. One recomendation of that CVE mitigration discussions
was that all services shoudl enabel the service token role validation
by default. This change simplely enabled that by setting
[keystone_authtoken]/service_token_roles_required = true
Related: OSPRH191