Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package magnum 3.1.1-5. This version fix CVE-2016-7404 (#863547). Debdiff attached. Thanks. unblock magnum/3.1.1-5 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru magnum-3.1.1/debian/changelog magnum-3.1.1/debian/changelog --- magnum-3.1.1/debian/changelog 2017-04-04 17:31:50.000000000 +0200 +++ magnum-3.1.1/debian/changelog 2017-06-01 16:31:39.000000000 +0200 @@ -1,3 +1,10 @@ +magnum (3.1.1-5) unstable; urgency=medium + + * Team upload. + * Fix CVE-2016-7404 (Closes: #863547) + + -- Ondřej Nový <on...@debian.org> Thu, 01 Jun 2017 16:31:39 +0200 + magnum (3.1.1-4) unstable; urgency=medium * Brazilian Portuguese debconf templates (Closes: #852444). diff -Nru magnum-3.1.1/debian/patches/CVE-2016-7404.patch magnum-3.1.1/debian/patches/CVE-2016-7404.patch --- magnum-3.1.1/debian/patches/CVE-2016-7404.patch 1970-01-01 01:00:00.000000000 +0100 +++ magnum-3.1.1/debian/patches/CVE-2016-7404.patch 2017-06-01 16:31:39.000000000 +0200 @@ -0,0 +1,743 @@ +From 2d4e617a529ea12ab5330f12631f44172a623a14 Mon Sep 17 00:00:00 2001 +From: Johannes Grassler <johannes.grass...@suse.com> +Date: Fri, 16 Sep 2016 10:01:07 +0200 +Subject: [PATCH] Fix CVE-2016-7404 + +This commit addresses multiple potential vulnerabilities in +Magnum. It makes the following changes: + +* Permissions for /etc/sysconfig/heat-params inside Magnum + created instances are tightened to 0600 (used to be 0755). +* Certificate retrieval is modified to work without the need + for a Keystone trust. +* The cluster's Keystone trust id is only passed into + instances for clusters where that is actually needed. This + prevents the trustee user from consuming the trust in cases + where it is not needed. +* The configuration setting trust/cluster_user_trust (False by + default) is introduced. It needs to be explicitely enabled + by the cloud operator to allow clusters that need the + trust_id to be passed into instances to work. Without this + setting, attempts to create such clusters will fail. + +Please note, that none of these changes apply to existing +clusters. They will have to be deleted and rebuilt to benefit +from these changes. + +(cherry picked from commit e93d82e8b3bc19211efd54edc17aebdca50670c1) + +Changes for backport: + +* Moved cluster_user_trust setting to magnum/common/keystone.py +* Resolved merge conflicts. +* Fixed unit tests with configuration overrides. + +Change-Id: I408d845ee4fd00d5bcd1e90f0a78f2bba3f2a57a +--- + devstack/lib/magnum | 1 + + etc/magnum/policy.json | 54 +++++++++++----------- + magnum/common/keystone.py | 12 +++++ + magnum/common/policy.py | 12 +++++ + magnum/conductor/handlers/common/trust_manager.py | 13 ++++-- + magnum/db/sqlalchemy/api.py | 17 ++++++- + magnum/drivers/common/template_def.py | 16 ++++++- + .../kubernetes/fragments/make-cert-client.sh | 5 -- + .../templates/kubernetes/fragments/make-cert.sh | 5 -- + .../fragments/write-heat-params-master.yaml | 2 +- + .../kubernetes/fragments/write-heat-params.yaml | 2 +- + .../templates/fragments/make-cert-client.yaml | 5 -- + .../templates/fragments/make-cert.yaml | 5 -- + .../fragments/write-heat-params-master.yaml | 2 +- + .../templates/fragments/write-heat-params.yaml | 2 +- + .../templates/fragments/write-heat-params.yaml | 2 +- + .../templates/fragments/make-cert.py | 6 --- + .../fragments/write-heat-params-master.yaml | 2 +- + .../fragments/write-heat-params-node.yaml | 2 +- + magnum/tests/base.py | 27 +++++++++++ + magnum/tests/unit/common/test_keystone.py | 15 ++++++ + .../handlers/common/test_trust_manager.py | 3 +- + .../conductor/handlers/test_cluster_conductor.py | 5 ++ + .../handlers/test_k8s_cluster_conductor.py | 14 ++++-- + .../handlers/test_mesos_cluster_conductor.py | 9 ++-- + .../handlers/test_swarm_cluster_conductor.py | 8 +++- + 26 files changed, 171 insertions(+), 75 deletions(-) + +--- a/devstack/lib/magnum ++++ b/devstack/lib/magnum +@@ -206,6 +206,7 @@ + --os-identity-api-version 3 role add \ + --user $trustee_domain_admin_id --domain $trustee_domain_id \ + admin ++ iniset $MAGNUM_CONF trust cluster_user_trust True + iniset $MAGNUM_CONF trust trustee_domain_name magnum + iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin + iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD +--- a/etc/magnum/policy.json ++++ b/etc/magnum/policy.json +@@ -4,35 +4,37 @@ + "default": "rule:admin_or_owner", + "admin_api": "rule:context_is_admin", + "admin_or_user": "is_admin:True or user_id:%(user_id)s", ++ "cluster_user": "user_id:%(trustee_user_id)s", ++ "deny_cluster_user": "not domain_id:%(trustee_domain_id)s", + +- "bay:create": "rule:default", +- "bay:delete": "rule:default", +- "bay:detail": "rule:default", +- "bay:get": "rule:default", +- "bay:get_all": "rule:default", +- "bay:update": "rule:default", +- +- "baymodel:create": "rule:default", +- "baymodel:delete": "rule:default", +- "baymodel:detail": "rule:default", +- "baymodel:get": "rule:default", +- "baymodel:get_all": "rule:default", +- "baymodel:update": "rule:default", ++ "bay:create": "rule:deny_cluster_user", ++ "bay:delete": "rule:deny_cluster_user", ++ "bay:detail": "rule:deny_cluster_user", ++ "bay:get": "rule:deny_cluster_user", ++ "bay:get_all": "rule:deny_cluster_user", ++ "bay:update": "rule:deny_cluster_user", ++ ++ "baymodel:create": "rule:deny_cluster_user", ++ "baymodel:delete": "rule:deny_cluster_user", ++ "baymodel:detail": "rule:deny_cluster_user", ++ "baymodel:get": "rule:deny_cluster_user", ++ "baymodel:get_all": "rule:deny_cluster_user", ++ "baymodel:update": "rule:deny_cluster_user", + "baymodel:publish": "rule:admin_or_owner", + +- "cluster:create": "rule:default", +- "cluster:delete": "rule:default", +- "cluster:detail": "rule:default", +- "cluster:get": "rule:default", +- "cluster:get_all": "rule:default", +- "cluster:update": "rule:default", +- +- "clustertemplate:create": "rule:default", +- "clustertemplate:delete": "rule:default", +- "clustertemplate:detail": "rule:default", +- "clustertemplate:get": "rule:default", +- "clustertemplate:get_all": "rule:default", +- "clustertemplate:update": "rule:default", ++ "cluster:create": "rule:deny_cluster_user", ++ "cluster:delete": "rule:deny_cluster_user", ++ "cluster:detail": "rule:deny_cluster_user", ++ "cluster:get": "rule:deny_cluster_user", ++ "cluster:get_all": "rule:deny_cluster_user", ++ "cluster:update": "rule:deny_cluster_user", ++ ++ "clustertemplate:create": "rule:deny_cluster_user", ++ "clustertemplate:delete": "rule:deny_cluster_user", ++ "clustertemplate:detail": "rule:deny_cluster_user", ++ "clustertemplate:get": "rule:deny_cluster_user", ++ "clustertemplate:get_all": "rule:deny_cluster_user", ++ "clustertemplate:update": "rule:deny_cluster_user", + "clustertemplate:publish": "rule:admin_or_owner", + + "rc:create": "rule:default", +@@ -42,8 +44,8 @@ + "rc:get_all": "rule:default", + "rc:update": "rule:default", + +- "certificate:create": "rule:admin_or_user", +- "certificate:get": "rule:admin_or_user", ++ "certificate:create": "rule:admin_or_user or rule:cluster_user", ++ "certificate:get": "rule:admin_or_user or rule:cluster_user", + + "magnum-service:get_all": "rule:admin_api" + } +--- a/magnum/common/keystone.py ++++ b/magnum/common/keystone.py +@@ -31,6 +31,17 @@ + LOG = logging.getLogger(__name__) + + trust_opts = [ ++ cfg.BoolOpt('cluster_user_trust', ++ default=False, ++ help=_('This setting controls whether to assign a trust to' ++ ' the cluster user or not. You will need to set it to' ++ ' True for clusters with volume_driver=cinder or' ++ ' registry_enabled=true in the underlying cluster' ++ ' template to work. This is a potential security risk' ++ ' since the trust gives instances OpenStack API access' ++ " to the cluster's project. Note that this setting" ++ ' does not affect per-cluster trusts assigned to the' ++ 'Magnum service user.')), + cfg.StrOpt('trustee_domain_id', + help=_('Id of the domain to create trustee for clusters')), + cfg.StrOpt('trustee_domain_name', +@@ -249,6 +260,7 @@ + project=trustor_project_id, + trustee_user=trustee_user, + impersonation=True, ++ delegation_depth=0, + role_names=roles) + except Exception: + LOG.exception(_LE('Failed to create trust')) +--- a/magnum/common/policy.py ++++ b/magnum/common/policy.py +@@ -20,6 +20,8 @@ + from oslo_policy import policy + import pecan + ++from magnum.common import clients ++from magnum.common import context + from magnum.common import exception + + +@@ -92,10 +94,20 @@ + if target is None: + target = {'project_id': context.project_id, + 'user_id': context.user_id} ++ add_policy_attributes(target) + return enforcer.enforce(rule, target, credentials, + do_raise=do_raise, exc=exc, *args, **kwargs) + + ++def add_policy_attributes(target): ++ """Adds extra information for policy enforcement to raw target object""" ++ admin_context = context.make_admin_context() ++ admin_osc = clients.OpenStackClients(admin_context) ++ trustee_domain_id = admin_osc.keystone().trustee_domain_id ++ target['trustee_domain_id'] = trustee_domain_id ++ return target ++ ++ + def enforce_wsgi(api_name, act=None): + """This is a decorator to simplify wsgi action policy rule check. + +--- a/magnum/conductor/handlers/common/trust_manager.py ++++ b/magnum/conductor/handlers/common/trust_manager.py +@@ -22,15 +22,20 @@ + def create_trustee_and_trust(osc, cluster): + try: + password = utils.generate_password(length=18) ++ + trustee = osc.keystone().create_trustee( +- cluster.uuid, ++ "%s_%s" % (cluster.uuid, cluster.project_id), + password, + ) ++ + cluster.trustee_username = trustee.name + cluster.trustee_user_id = trustee.id + cluster.trustee_password = password +- trust = osc.keystone().create_trust(trustee.id) ++ ++ trust = osc.keystone().create_trust( ++ cluster.trustee_user_id) + cluster.trust_id = trust.id ++ + except Exception: + LOG.exception( + _LE('Failed to create trustee and trust for Cluster: %s'), +@@ -41,9 +46,11 @@ + + def delete_trustee_and_trust(osc, context, cluster): + try: ++ kst = osc.keystone() ++ + # The cluster which is upgraded from Liberty doesn't have trust_id + if cluster.trust_id: +- osc.keystone().delete_trust(context, cluster) ++ kst.delete_trust(context, cluster) + except Exception: + # Exceptions are already logged by keystone().delete_trust + pass +--- a/magnum/db/sqlalchemy/api.py ++++ b/magnum/db/sqlalchemy/api.py +@@ -24,6 +24,8 @@ + from sqlalchemy.orm.exc import MultipleResultsFound + from sqlalchemy.orm.exc import NoResultFound + ++from magnum.common import clients ++from magnum.common import context as request_context + from magnum.common import exception + from magnum.db import api + from magnum.db.sqlalchemy import models +@@ -113,8 +115,21 @@ + if context.is_admin and context.all_tenants: + return query + +- if context.project_id: ++ admin_context = request_context.make_admin_context(all_tenants=True) ++ osc = clients.OpenStackClients(admin_context) ++ kst = osc.keystone() ++ ++ # User in a regular project (not in the trustee domain) ++ if context.project_id and context.domain_id != kst.trustee_domain_id: + query = query.filter_by(project_id=context.project_id) ++ # Match project ID component in trustee user's user name against ++ # cluster's project_id to associate per-cluster trustee users who have ++ # no project information with the project their clusters/cluster models ++ # reside in. This is equivalent to the project filtering above. ++ elif context.domain_id == kst.trustee_domain_id: ++ user_name = kst.client.users.get(context.user_id).name ++ user_project = user_name.split('_', 2)[1] ++ query = query.filter_by(project_id=user_project) + else: + query = query.filter_by(user_id=context.user_id) + +--- a/magnum/drivers/common/template_def.py ++++ b/magnum/drivers/common/template_def.py +@@ -23,6 +23,7 @@ + from magnum.common import clients + from magnum.common import exception + from magnum.i18n import _ ++from magnum.i18n import _LE + from magnum.i18n import _LW + + from requests import exceptions as req_exceptions +@@ -380,7 +381,20 @@ + extra_params['trustee_user_id'] = cluster.trustee_user_id + extra_params['trustee_username'] = cluster.trustee_username + extra_params['trustee_password'] = cluster.trustee_password +- extra_params['trust_id'] = cluster.trust_id ++ ++ # Only pass trust ID into the template when it is needed. ++ if (cluster_template.volume_driver == 'rexray' or ++ cluster_template.registry_enabled): ++ if CONF.trust.cluster_user_trust: ++ extra_params['trust_id'] = cluster.trust_id ++ else: ++ missing_setting = ('trust/cluster_user_trust = True') ++ msg = _LE('This cluster can only be created with %s in ' ++ 'magnum.conf') ++ raise exception.ConfigInvalid(msg % missing_setting) ++ else: ++ extra_params['trust_id'] = "" ++ + extra_params['auth_url'] = context.auth_url + + return super(BaseTemplateDefinition, +--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh ++++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh +@@ -49,11 +49,6 @@ + "password": "$TRUSTEE_PASSWORD" + } + } +- }, +- "scope": { +- "OS-TRUST:trust": { +- "id": "$TRUST_ID" +- } + } + } + } +--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh ++++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh +@@ -71,11 +71,6 @@ + "password": "$TRUSTEE_PASSWORD" + } + } +- }, +- "scope": { +- "OS-TRUST:trust": { +- "id": "$TRUST_ID" +- } + } + } + } +--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml ++++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" + KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" +--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml ++++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" + KUBE_MASTER_IP="$KUBE_MASTER_IP" +--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml ++++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml +@@ -66,11 +66,6 @@ + "password": "$TRUSTEE_PASSWORD" + } + } +- }, +- "scope": { +- "OS-TRUST:trust": { +- "id": "$TRUST_ID" +- } + } + } + } +--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml ++++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml +@@ -89,11 +89,6 @@ + "password": "$TRUSTEE_PASSWORD" + } + } +- }, +- "scope": { +- "OS-TRUST:trust": { +- "id": "$TRUST_ID" +- } + } + } + } +--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml ++++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" + KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" +--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml ++++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV" + KUBE_MASTER_IP="$KUBE_MASTER_IP" +--- a/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml ++++ b/magnum/drivers/mesos_ubuntu_v1/templates/fragments/write-heat-params.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS" + EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT" +--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/fragments/make-cert.py ++++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/fragments/make-cert.py +@@ -147,11 +147,6 @@ + "password": "%(trustee_password)s" + } + } +- }, +- "scope": { +- "OS-TRUST:trust": { +- "id": "%(trust_id)s" +- } + } + } + } +@@ -159,7 +154,6 @@ + params = { + 'trustee_user_id': config['TRUSTEE_USER_ID'], + 'trustee_password': config['TRUSTEE_PASSWORD'], +- 'trust_id': config['TRUST_ID'] + } + creds = creds_str % params + headers = {'Content-Type': 'application/json'} +--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/fragments/write-heat-params-master.yaml ++++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/fragments/write-heat-params-master.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" + WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN" +--- a/magnum/drivers/swarm_fedora_atomic_v1/templates/fragments/write-heat-params-node.yaml ++++ b/magnum/drivers/swarm_fedora_atomic_v1/templates/fragments/write-heat-params-node.yaml +@@ -3,7 +3,7 @@ + write_files: + - path: /etc/sysconfig/heat-params + owner: "root:root" +- permissions: "0644" ++ permissions: "0600" + content: | + WAIT_HANDLE_ENDPOINT="$WAIT_HANDLE_ENDPOINT" + WAIT_HANDLE_TOKEN="$WAIT_HANDLE_TOKEN" +--- a/magnum/tests/base.py ++++ b/magnum/tests/base.py +@@ -26,6 +26,7 @@ + import testscenarios + + from magnum.common import context as magnum_context ++from magnum.common import keystone as magnum_keystone + from magnum.objects import base as objects_base + from magnum.tests import conf_fixture + from magnum.tests import fake_notifier +@@ -63,11 +64,18 @@ + } + } + } ++ ++ trustee_domain_id = '12345678-9012-3456-7890-123456789abc' ++ + self.context = magnum_context.RequestContext( + auth_token_info=token_info, + project_id='fake_project', + user_id='fake_user') + ++ self.global_mocks = {} ++ ++ self.keystone_client = magnum_keystone.KeystoneClientV3(self.context) ++ + self.policy = self.useFixture(policy_fixture.PolicyFixture()) + + self.useFixture(fixtures.MockPatchObject( +@@ -89,9 +97,22 @@ + + p = mock.patch.object(magnum_context, 'make_context', + side_effect=make_context) ++ ++ self.global_mocks['magnum.common.context.make_context'] = p ++ ++ q = mock.patch.object(magnum_keystone.KeystoneClientV3, ++ 'trustee_domain_id', ++ return_value=trustee_domain_id) ++ ++ self.global_mocks[ ++ 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id'] = q ++ + self.mock_make_context = p.start() + self.addCleanup(p.stop) + ++ self.mock_make_trustee_domain_id = q.start() ++ self.addCleanup(q.stop) ++ + self.useFixture(conf_fixture.ConfFixture()) + self.useFixture(fixtures.NestedTempfile()) + +@@ -104,6 +125,12 @@ + + self.addCleanup(reset_pecan) + ++ def start_global(self, name): ++ self.global_mocks[name].start() ++ ++ def stop_global(self, name): ++ self.global_mocks[name].stop() ++ + def _restore_obj_registry(self): + objects_base.MagnumObjectRegistry._registry._obj_classes \ + = self._base_test_obj_backup +--- a/magnum/tests/unit/common/test_keystone.py ++++ b/magnum/tests/unit/common/test_keystone.py +@@ -55,6 +55,19 @@ + admin_tenant_name='service', + group=keystone.CFG_LEGACY_GROUP) + ++ # Disable global mocking for trustee_domain_id ++ self.stop_global( ++ 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id') ++ ++ def tearDown(self): ++ # Re-enable global mocking for trustee_domain_id. We need this because ++ # mock blows up when trying to stop an already stopped patch (which it ++ # will do due to the addCleanup() in base.TestCase). ++ self.start_global( ++ 'magnum.common.keystone.KeystoneClientV3.trustee_domain_id') ++ ++ super(KeystoneClientTest, self).tearDown() ++ + def test_client_with_password(self, mock_ks): + self.ctx.is_admin = True + ks_client = keystone.KeystoneClientV3(self.ctx) +@@ -136,6 +149,7 @@ + ks_client.create_trust(trustee_user='888888') + + mock_ks.return_value.trusts.create.assert_called_once_with( ++ delegation_depth=0, + trustor_user='123456', project='654321', + trustee_user='888888', role_names=['role1', 'role2'], + impersonation=True) +@@ -152,6 +166,7 @@ + ks_client.create_trust(trustee_user='888888') + + mock_ks.return_value.trusts.create.assert_called_once_with( ++ delegation_depth=0, + trustor_user='123456', project='654321', + trustee_user='888888', role_names=['role3'], + impersonation=True) +--- a/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py ++++ b/magnum/tests/unit/conductor/handlers/common/test_trust_manager.py +@@ -37,6 +37,7 @@ + mock_generate_password.return_value = mock_password + mock_cluster = mock.MagicMock() + mock_cluster.uuid = 'mock_cluster_uuid' ++ mock_cluster.project_id = 'mock_cluster_project_id' + mock_keystone = mock.MagicMock() + mock_trustee = mock.MagicMock() + mock_trustee.id = 'mock_trustee_id' +@@ -52,7 +53,7 @@ + trust_manager.create_trustee_and_trust(self.osc, mock_cluster) + + mock_keystone.create_trustee.assert_called_once_with( +- mock_cluster.uuid, ++ '%s_%s' % (mock_cluster.uuid, mock_cluster.project_id), + mock_password, + ) + mock_keystone.create_trust.assert_called_once_with( +--- a/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py ++++ b/magnum/tests/unit/conductor/handlers/test_cluster_conductor.py +@@ -191,6 +191,11 @@ + mock_poller.poll_and_check.return_value = loopingcall.LoopingCallDone() + mock_heat_poller_class.return_value = mock_poller + osc = mock.sentinel.osc ++ ++ def return_keystone(): ++ return self.keystone_client ++ ++ osc.keystone = return_keystone + mock_openstack_client_class.return_value = osc + + def create_stack_side_effect(context, osc, cluster, timeout): +--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py ++++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +@@ -67,7 +67,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'coe_version': 'fake-version', + } + self.context.auth_url = 'http://192.168.10.10:5000/v3' +@@ -173,7 +173,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'insecure_registry_url': '10.0.0.1:5000', + 'kube_version': 'fake-version', +@@ -209,6 +209,10 @@ + 'RegionOne', + group='docker_registry') + ++ cfg.CONF.set_override('cluster_user_trust', ++ True, ++ group='trust') ++ + (template_path, + definition, + env_files) = cluster_conductor._extract_template_definition( +@@ -242,7 +246,7 @@ + 'swift_region': 'RegionOne', + 'tenant_name': 'fake_tenant', + 'tls_disabled': False, +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'trustee_domain_id': self.mock_keystone.trustee_domain_id, + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +@@ -306,7 +310,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'cluster_uuid': self.cluster_dict['uuid'], + 'magnum_url': self.mock_osc.magnum_url.return_value, +@@ -363,7 +367,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'cluster_uuid': self.cluster_dict['uuid'], + 'magnum_url': self.mock_osc.magnum_url.return_value, +@@ -530,7 +534,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'insecure_registry_url': '10.0.0.1:5000', + 'kube_version': 'fake-version', +--- a/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py ++++ b/magnum/tests/unit/conductor/handlers/test_mesos_cluster_conductor.py +@@ -37,6 +37,7 @@ + 'http_proxy': 'http_proxy', + 'https_proxy': 'https_proxy', + 'no_proxy': 'no_proxy', ++ 'registry_enabled': False, + 'server_type': 'vm', + 'volume_driver': 'volume_driver', + 'labels': {'rexray_preempt': 'False', +@@ -109,7 +110,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'volume_driver': 'volume_driver', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'region_name': self.mock_osc.cinder_region_name.return_value, +@@ -158,7 +159,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'region_name': self.mock_osc.cinder_region_name.return_value, + 'username': 'mesos_user', +@@ -208,7 +209,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'volume_driver': 'volume_driver', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'region_name': self.mock_osc.cinder_region_name.return_value, +@@ -260,7 +261,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'volume_driver': 'volume_driver', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'region_name': self.mock_osc.cinder_region_name.return_value, +--- a/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py ++++ b/magnum/tests/unit/conductor/handlers/test_swarm_cluster_conductor.py +@@ -68,6 +68,12 @@ + 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', + 'coe_version': 'fake-version' + } ++ ++ # We need this due to volume_driver=rexray ++ cfg.CONF.set_override('cluster_user_trust', ++ True, ++ group='trust') ++ + osc_patcher = mock.patch('magnum.common.clients.OpenStackClients') + self.mock_osc_class = osc_patcher.start() + self.addCleanup(osc_patcher.stop) +@@ -255,7 +261,7 @@ + 'trustee_username': 'fake_trustee', + 'trustee_password': 'fake_trustee_password', + 'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656', +- 'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de', ++ 'trust_id': '', + 'auth_url': 'http://192.168.10.10:5000/v3', + 'swarm_version': 'fake-version', + 'rexray_preempt': 'False' diff -Nru magnum-3.1.1/debian/patches/series magnum-3.1.1/debian/patches/series --- magnum-3.1.1/debian/patches/series 2017-04-04 17:31:50.000000000 +0200 +++ magnum-3.1.1/debian/patches/series 2017-06-01 16:31:39.000000000 +0200 @@ -1,2 +1,3 @@ install-missing-files.patch allow-sqla-1.1.patch +CVE-2016-7404.patch