From 0f49717cd16bfb90e936e898e9d889e4d80c4a31 Mon Sep 17 00:00:00 2001 From: Edward Hope-Morley Date: Tue, 21 Jul 2015 14:44:57 +0100 Subject: [PATCH] [hopem,r=] Fix PKI issues (from l/e merge) --- hooks/keystone_hooks.py | 10 +++++++++- unit_tests/test_keystone_hooks.py | 6 ++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/hooks/keystone_hooks.py b/hooks/keystone_hooks.py index 63e04c94..fdcdf836 100755 --- a/hooks/keystone_hooks.py +++ b/hooks/keystone_hooks.py @@ -76,6 +76,7 @@ from keystone_utils import ( is_pki_enabled, ensure_ssl_dir, ensure_pki_dir_permissions, + ensure_permissions, force_ssl_sync, filter_null, ensure_ssl_dirs, @@ -181,12 +182,19 @@ def initialise_pki(): NOTE: keystone.conf [signing] section must be up-to-date prior to executing this. """ - if is_ssl_cert_master(): + if not peer_units() or is_ssl_cert_master(): log("Ensuring PKI token certs created", level=DEBUG) cmd = ['keystone-manage', 'pki_setup', '--keystone-user', 'keystone', '--keystone-group', 'keystone'] check_call(cmd) + # Ensure logfile has keystone perms since we may have just created it + # with root. + ensure_permissions('/var/log/keystone', user='keystone', + group='keystone', perms=0o744) + ensure_permissions('/var/log/keystone/keystone.log', user='keystone', + group='keystone', perms=0o644) + ensure_pki_dir_permissions() diff --git a/unit_tests/test_keystone_hooks.py b/unit_tests/test_keystone_hooks.py index cf731455..d43260bd 100644 --- a/unit_tests/test_keystone_hooks.py +++ b/unit_tests/test_keystone_hooks.py @@ -306,6 +306,7 @@ class KeystoneRelationTests(CharmTestCase): @patch('keystone_utils.log') @patch('keystone_utils.ensure_ssl_cert_master') @patch('keystone_utils.ensure_ssl_dirs') + @patch.object(hooks, 'ensure_permissions') @patch.object(hooks, 'ensure_pki_dir_permissions') @patch.object(hooks, 'ensure_ssl_dir') @patch.object(hooks, 'is_pki_enabled') @@ -330,6 +331,7 @@ class KeystoneRelationTests(CharmTestCase): mock_is_ssl_cert_master, mock_is_pki_enabled, mock_ensure_ssl_dir, + mock_ensure_permissions, mock_ensure_pki_dir_permissions, mock_ensure_ssl_dirs, mock_ensure_ssl_cert_master, @@ -368,6 +370,7 @@ class KeystoneRelationTests(CharmTestCase): @patch('keystone_utils.ensure_ssl_cert_master') @patch('keystone_utils.ensure_ssl_dirs') @patch.object(hooks, 'update_all_identity_relation_units') + @patch.object(hooks, 'ensure_permissions') @patch.object(hooks, 'ensure_pki_dir_permissions') @patch.object(hooks, 'ensure_ssl_dir') @patch.object(hooks, 'is_pki_enabled') @@ -387,6 +390,7 @@ class KeystoneRelationTests(CharmTestCase): mock_peer_units, mock_is_pki_enabled, mock_ensure_ssl_dir, + mock_ensure_permissions, mock_ensure_pki_permissions, mock_update_all_id_rel_units, ensure_ssl_dirs, @@ -416,6 +420,7 @@ class KeystoneRelationTests(CharmTestCase): @patch('keystone_utils.log') @patch('keystone_utils.ensure_ssl_cert_master') @patch('keystone_utils.ensure_ssl_dirs') + @patch.object(hooks, 'ensure_permissions') @patch.object(hooks, 'ensure_pki_dir_permissions') @patch.object(hooks, 'ensure_ssl_dir') @patch.object(hooks, 'is_pki_enabled') @@ -439,6 +444,7 @@ class KeystoneRelationTests(CharmTestCase): mock_is_ssl_cert_master, mock_is_pki_enabled, mock_ensure_ssl_dir, + mock_ensure_permissions, mock_ensure_pki_permissions, mock_ensure_ssl_dirs, mock_ensure_ssl_cert_master,