keystone-manage to be run by keystone user/group

keystone-manage pki_setup and keystone-manage db_sync should be run by the designated keystone user and group. The reason being that these commands when run as root (as is the case with chef) may drop a keystone.log file. If this is the first pass, that file will be owned by root and subsequent writes to that file by the proper keystone user or group will likely fail. This change also removes a redundant test for opensuse. Change-Id: I627674b319738f9c79ff146ddfdf979db55b2c14
2014-01-22 14:41:42 -05:00
parent 9b27857f01
commit eeb23bf7ad
3 changed files with 20 additions and 17 deletions
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -91,6 +91,7 @@ end

 execute 'keystone-manage pki_setup' do
  user node['openstack']['identity']['user']
+  group node['openstack']['identity']['group']

  only_if { node['openstack']['auth']['strategy'] == 'pki' }
  not_if { ::FileTest.exists? node['openstack']['identity']['signing']['keyfile'] }
@@ -169,5 +170,8 @@ end

 # sync db after keystone.conf is generated
 execute 'keystone-manage db_sync' do
+  user node['openstack']['identity']['user']
+  group node['openstack']['identity']['group']
+
  only_if { node['openstack']['identity']['db']['migrate'] }
 end
--- a/spec/server-opensuse_spec.rb
+++ b/spec/server-opensuse_spec.rb
@@ -73,18 +73,6 @@ describe 'openstack-identity::server' do
      expect(@chef_run).to delete_file '/var/lib/keystone/keystone.db'
    end

-    it 'runs pki setup' do
-      chef_run = ::ChefSpec::Runner.new(::OPENSUSE_OPTS) do |n|
-        n.set['openstack']['auth']['strategy'] = 'pki'
-      end
-      chef_run.converge 'openstack-identity::server'
-      cmd = 'keystone-manage pki_setup'
-
-      expect(chef_run).to run_execute(cmd).with(
-        user: 'openstack-keystone'
-      )
-    end
-
    describe 'keystone.conf' do
      before do
        @template = @chef_run.template '/etc/keystone/keystone.conf'
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@@ -142,7 +142,10 @@ describe 'openstack-identity::server' do
          chef_run = ::ChefSpec::Runner.new ::UBUNTU_OPTS
          chef_run.converge 'openstack-identity::server'

-          expect(chef_run).to_not run_execute(@cmd).with(user: 'keystone')
+          expect(chef_run).to_not run_execute(@cmd).with(
+            user: 'keystone',
+            group: 'keystone'
+          )
        end
      end

@@ -160,7 +163,8 @@ describe 'openstack-identity::server' do
          @chef_run.converge 'openstack-identity::server'

          expect(@chef_run).to run_execute(@cmd).with(
-            user: 'keystone'
+            user: 'keystone',
+            group: 'keystone'
          )
        end

@@ -171,7 +175,8 @@ describe 'openstack-identity::server' do
          @chef_run.converge 'openstack-identity::server'

          expect(@chef_run).not_to run_execute(@cmd).with(
-            user: 'keystone'
+            user: 'keystone',
+            group: 'keystone'
          )
        end
      end
@@ -315,7 +320,10 @@ describe 'openstack-identity::server' do
      end

      it 'runs migrations' do
-        expect(@chef_run).to run_execute(@cmd)
+        expect(@chef_run).to run_execute(@cmd).with(
+          user: 'keystone',
+          group: 'keystone'
+       )
      end

      it 'does not run migrations' do
@@ -324,7 +332,10 @@ describe 'openstack-identity::server' do
        end
        chef_run.converge 'openstack-identity::server'

-        expect(chef_run).not_to run_execute(@cmd)
+        expect(chef_run).not_to run_execute(@cmd).with(
+          user: 'keystone',
+          group: 'keystone'
+        )
      end
    end
  end