Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable service token role validation for all service tokens #266

Closed
wants to merge 1 commit into from
Closed

enable service token role validation for all service tokens #266

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions templates/cinderapi/config/01-service-defaults.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,9 @@
[DEFAULT]
log_file = {{ .LogFile }}

[keystone_authtoken]
# This is part of hardening related to CVE-2023-2088
# when enabled the service token user must have the service role to be considered valid.
# cinder already checks for this, explicitly in the case of the attchment API even when
# this is not enforced for all service token validation.
service_token_roles_required = true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this needs a newline.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i guess i did not activate the venv when committing. i have precommet but it only runs if i have the venv activated
ill respin this shortly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already added this in PR#257 and it can be seen here (without the CVE related comment):

cinder-operator/templates/cinder/config/00-global-defaults.conf

Line 66 in e8e5fb3

service_token_roles_required = true

If I remember correctly the cinder CVE code doesn't really need that option, it has an additional internal check so it wouldn't have to depend on this config option. I enabled this option in my PR anyway because I like the keystone middleware being the one that gives the error..

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh cool in that case ill abandon this pr