From eeb23bf7adfacee193592235536226dc48a614c0 Mon Sep 17 00:00:00 2001 From: Craig Tracey Date: Wed, 22 Jan 2014 14:41:42 -0500 Subject: [PATCH] keystone-manage to be run by keystone user/group keystone-manage pki_setup and keystone-manage db_sync should be run by the designated keystone user and group. The reason being that these commands when run as root (as is the case with chef) may drop a keystone.log file. If this is the first pass, that file will be owned by root and subsequent writes to that file by the proper keystone user or group will likely fail. This change also removes a redundant test for opensuse. Change-Id: I627674b319738f9c79ff146ddfdf979db55b2c14 --- recipes/server.rb | 4 ++++ spec/server-opensuse_spec.rb | 12 ------------ spec/server_spec.rb | 21 ++++++++++++++++----- 3 files changed, 20 insertions(+), 17 deletions(-) diff --git a/recipes/server.rb b/recipes/server.rb index 65123d0..63235d2 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -91,6 +91,7 @@ end execute 'keystone-manage pki_setup' do user node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] only_if { node['openstack']['auth']['strategy'] == 'pki' } not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] } @@ -169,5 +170,8 @@ end # sync db after keystone.conf is generated execute 'keystone-manage db_sync' do + user node['openstack']['identity']['user'] + group node['openstack']['identity']['group'] + only_if { node['openstack']['identity']['db']['migrate'] } end diff --git a/spec/server-opensuse_spec.rb b/spec/server-opensuse_spec.rb index 40a0812..21c6d6f 100644 --- a/spec/server-opensuse_spec.rb +++ b/spec/server-opensuse_spec.rb @@ -73,18 +73,6 @@ describe 'openstack-identity::server' do expect(@chef_run).to delete_file '/var/lib/keystone/keystone.db' end - it 'runs pki setup' do - chef_run = ::ChefSpec::Runner.new(::OPENSUSE_OPTS) do |n| - n.set['openstack']['auth']['strategy'] = 'pki' - end - chef_run.converge 'openstack-identity::server' - cmd = 'keystone-manage pki_setup' - - expect(chef_run).to run_execute(cmd).with( - user: 'openstack-keystone' - ) - end - describe 'keystone.conf' do before do @template = @chef_run.template '/etc/keystone/keystone.conf' diff --git a/spec/server_spec.rb b/spec/server_spec.rb index bba719d..2bc0ef4 100644 --- a/spec/server_spec.rb +++ b/spec/server_spec.rb @@ -142,7 +142,10 @@ describe 'openstack-identity::server' do chef_run = ::ChefSpec::Runner.new ::UBUNTU_OPTS chef_run.converge 'openstack-identity::server' - expect(chef_run).to_not run_execute(@cmd).with(user: 'keystone') + expect(chef_run).to_not run_execute(@cmd).with( + user: 'keystone', + group: 'keystone' + ) end end @@ -160,7 +163,8 @@ describe 'openstack-identity::server' do @chef_run.converge 'openstack-identity::server' expect(@chef_run).to run_execute(@cmd).with( - user: 'keystone' + user: 'keystone', + group: 'keystone' ) end @@ -171,7 +175,8 @@ describe 'openstack-identity::server' do @chef_run.converge 'openstack-identity::server' expect(@chef_run).not_to run_execute(@cmd).with( - user: 'keystone' + user: 'keystone', + group: 'keystone' ) end end @@ -315,7 +320,10 @@ describe 'openstack-identity::server' do end it 'runs migrations' do - expect(@chef_run).to run_execute(@cmd) + expect(@chef_run).to run_execute(@cmd).with( + user: 'keystone', + group: 'keystone' + ) end it 'does not run migrations' do @@ -324,7 +332,10 @@ describe 'openstack-identity::server' do end chef_run.converge 'openstack-identity::server' - expect(chef_run).not_to run_execute(@cmd) + expect(chef_run).not_to run_execute(@cmd).with( + user: 'keystone', + group: 'keystone' + ) end end end