always add service_user section to nova.conf

As of I3629b84d3255a8fe9d8a7cea8c6131d7c40899e8 nova now requires the service_user section to be configured to address CVE-2023-2088. This change adds the service user section to the nova.conf template in the nova and nova-cell roles. Related-Bug: #2004555 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I2189dafca070accfd8efcd4b8cc4221c6decdc9f (cherry picked from commit a77ea13) (cherry picked from commit 03c12ab) (cherry picked from commit cb105dc) (cherry picked from commit efe6650)
openstack · May 16, 2023 · ddadaa2 · ddadaa2
1 parent be1ca8a
commit ddadaa2
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -103,6 +103,11 @@ max_retries = -1
 
 [keystone_authtoken]
 service_type = volume
+# security fix, always validate service tokens
+# see: https://security.openstack.org/ossa/OSSA-2023-003.html
+# and: https://docs.openstack.org/cinder/zed/configuration/block-storage/service-token.html#troubleshooting
+service_token_roles_required = true
+service_token_roles = admin
 www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password

diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2
@@ -258,3 +258,16 @@ track_instance_changes = false
 [pci]
 passthrough_whitelist = {{ nova_pci_passthrough_whitelist | to_json }}
 {% endif %}
+
+[service_user]
+send_service_user_token = true
+auth_url = {{ keystone_internal_url }}
+auth_type = password
+project_domain_id = {{ default_project_domain_id }}
+user_domain_id = {{ default_user_domain_id }}
+project_name = service
+username = {{ nova_keystone_user }}
+password = {{ nova_keystone_password }}
+cafile = {{ openstack_cacert }}
+region_name = {{ openstack_region_name }}
+valid_interfaces = internal
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
@@ -204,3 +204,16 @@ auth_endpoint = {{ keystone_internal_url }}
 barbican_endpoint_type = internal
 verify_ssl_path = {{ openstack_cacert }}
 {% endif %}
+
+[service_user]
+send_service_user_token = true
+auth_url = {{ keystone_internal_url }}
+auth_type = password
+project_domain_id = {{ default_project_domain_id }}
+user_domain_id = {{ default_user_domain_id }}
+project_name = service
+username = {{ nova_keystone_user }}
+password = {{ nova_keystone_password }}
+cafile = {{ openstack_cacert }}
+region_name = {{ openstack_region_name }}
+valid_interfaces = internal
diff --git a/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml b/releasenotes/notes/cve-2023-2088-51e7e050be2139bf.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Configuration of service user tokens for all Nova and Cinder services
+    is now done automatically, to ensure security of block-storage volume
+    data.
+
+    See `LP#[2004555] <https://bugs.launchpad.net/nova/+bug/2004555>`__ for
+    more details.