| andrewbogott__ | I'm am 60% sure that the fix for CVE-2026-43001 broke creation of magnum clusters with app credentials. "You are not authorized to perform the requested action: Using method 'application_credential' is not allowed for managing trusts" | 15:11 |
|---|---|---|
| andrewbogott__ | anyone else seeing that? Or is there some workaround that I missed? | 15:11 |
| andrewbogott__ | OK, the answer is: those fixes absolutely break creation of coe clusters with app credentials. The workaround is: | 15:44 |
| andrewbogott__ | [security_compliance] | 15:44 |
| andrewbogott__ | allow_insecure_application_credential_trust_escalation = true | 15:44 |
| andrewbogott__ | in keystone. | 15:44 |
| andrewbogott__ | https://bugs.launchpad.net/magnum/+bug/2157024 | 15:49 |
| mnasiadka | andrewbogott__: yes, we see that, I did some additional work to make an option for drivers to not create trusts (which basically broke with that CVE being patched) - but I don’t think that was picked up on the driver side | 16:54 |
| andrewbogott__ | mnasiadka: that's definitely worth pursuing in latest drivers! But meanwhile a bit of documentation will do. | 17:58 |
| opendevreview | Ghanshyam Maan proposed openstack/magnum master: Remove setting of oslo_policy[enforce_scope] flag https://review.opendev.org/c/openstack/magnum/+/993828 | 19:54 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!