From 41740f975235298477ecc9df894ee3197489f4fd Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Mon, 9 Jul 2018 15:45:16 +0100
Subject: [PATCH] Make kolla ansible user and group configurable

In some cases it is useful to use a user other than the default 'kolla'
to perform kolla ansible remote execution. Kolla is adding support for
this in the Rocky release, we should use it.

It is now possible to configure a different user via the
kolla_ansible_user and kolla_ansible_group variables.

Depends-On: https://review.openstack.org/581330

Change-Id: I280fb8f70eacd31fff0ae5671ddd6608cd02ae6e
Story: 2002914
Task: 22892
---
 ansible/group_vars/all/kolla                        | 10 ++++++++++
 ansible/kolla-target-venv.yml                       |  4 ++--
 ansible/roles/kolla-ansible/defaults/main.yml       | 10 ++++++++++
 .../roles/kolla-ansible/templates/globals.yml.j2    |  6 ++++++
 .../kolla-ansible/templates/overcloud-top-level.j2  |  4 +++-
 ansible/roles/kolla-ansible/templates/seed.j2       |  2 +-
 ansible/roles/kolla-ansible/tests/test-defaults.yml |  2 ++
 ansible/roles/kolla-ansible/tests/test-extras.yml   |  4 ++++
 ansible/roles/swift-setup/tasks/rings.yml           |  4 ++--
 etc/kayobe/kolla.yml                                | 13 +++++++++++++
 .../notes/kolla-user-group-85bbe8038c3f719c.yaml    |  8 ++++++++
 11 files changed, 61 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml

diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
index 77607b95e..3f92fd262 100644
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@@ -294,6 +294,16 @@ kolla_openstack_logging_debug: "False"
 # Upper constraints file for installation of Kolla.
 kolla_upper_constraints_file: "https://raw.githubusercontent.com/openstack/requirements/stable/queens/upper-constraints.txt"
 
+# User account to use for Kolla SSH access.
+kolla_ansible_user: kolla
+
+# Primary group of Kolla SSH user.
+kolla_ansible_group: kolla
+
+# Whether to use privilege escalation for all operations performed via Kolla
+# Ansible.
+kolla_ansible_become: true
+
 ###############################################################################
 # Kolla feature flag configuration.
 
diff --git a/ansible/kolla-target-venv.yml b/ansible/kolla-target-venv.yml
index e9bde2c05..af15dd443 100644
--- a/ansible/kolla-target-venv.yml
+++ b/ansible/kolla-target-venv.yml
@@ -39,7 +39,7 @@
             path: "{{ kolla_ansible_target_venv }}"
             recurse: True
             state: directory
-            owner: kolla
-            group: kolla
+            owner: "{{ kolla_ansible_user }}"
+            group: "{{ kolla_ansible_group }}"
           become: True
       when: kolla_ansible_target_venv is not none
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index abbdc28aa..1ccb132a2 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -35,6 +35,16 @@ kolla_node_custom_config_path:
 # Path to kolla-ansible passwords.yml input file.
 kolla_ansible_passwords_path:
 
+# User account to use for Kolla SSH access.
+kolla_ansible_user: kolla
+
+# Primary group of Kolla SSH user.
+kolla_ansible_group: kolla
+
+# Whether to use privilege escalation for all operations performed via Kolla
+# Ansible.
+kolla_ansible_become: true
+
 ###############################################################################
 # Kolla-ansible inventory configuration.
 
diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 472cb6d72..c348beac9 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -48,6 +48,12 @@ kolla_external_vip_address: "{{ kolla_external_vip_address }}"
 # kolla_external_vip_address.
 kolla_external_fqdn: "{{ kolla_external_fqdn }}"
 
+# User account to use for Kolla SSH access.
+kolla_user: "{{ kolla_ansible_user }}"
+
+# Primary group of Kolla SSH user.
+kolla_group: "{{ kolla_ansible_group }}"
+
 ################
 # Docker options
 ################
diff --git a/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2 b/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2
index 25379f8c8..dadf1f154 100644
--- a/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2
+++ b/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2
@@ -28,8 +28,10 @@
 {% endfor %}
 
 [overcloud:vars]
-ansible_user=kolla
+ansible_user={{ kolla_ansible_user }}
+{% if kolla_ansible_become | bool %}
 ansible_become=true
+{% endif %}
 {% if kolla_ansible_target_venv is not none %}
 # Execute ansible modules on the remote target hosts using a virtualenv.
 ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python
diff --git a/ansible/roles/kolla-ansible/templates/seed.j2 b/ansible/roles/kolla-ansible/templates/seed.j2
index 20f826694..bc66951c8 100644
--- a/ansible/roles/kolla-ansible/templates/seed.j2
+++ b/ansible/roles/kolla-ansible/templates/seed.j2
@@ -6,7 +6,7 @@
 {% endfor %}
 
 [seed:vars]
-ansible_user=kolla
+ansible_user={{ kolla_ansible_user }}
 {% if kolla_ansible_target_venv is not none %}
 # Execute ansible modules on the remote target hosts using a virtualenv.
 ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python
diff --git a/ansible/roles/kolla-ansible/tests/test-defaults.yml b/ansible/roles/kolla-ansible/tests/test-defaults.yml
index 8a66d4846..9aea73d25 100644
--- a/ansible/roles/kolla-ansible/tests/test-defaults.yml
+++ b/ansible/roles/kolla-ansible/tests/test-defaults.yml
@@ -95,6 +95,8 @@
               kolla_enable_tls_external: False
               kolla_external_fqdn_cert: "fake-cert"
               openstack_logging_debug: False
+              kolla_user: "kolla"
+              kolla_group: "kolla"
 
         - name: Validate variables are absent from globals.yml
           assert:
diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml
index be579663d..2d56be19f 100644
--- a/ansible/roles/kolla-ansible/tests/test-extras.yml
+++ b/ansible/roles/kolla-ansible/tests/test-extras.yml
@@ -23,6 +23,8 @@
             kolla_node_custom_config_path: "{{ temp_path }}/etc/kolla/config"
             kolla_ansible_passwords_path: "{{ temp_path }}/passwords.yml"
             # Config.
+            kolla_ansible_user: "fake-user"
+            kolla_ansible_group: "fake-group"
             kolla_base_distro: "fake-distro"
             kolla_install_type: "fake-install-type"
             kolla_docker_namespace: "fake-namespace"
@@ -165,6 +167,8 @@
             globals_yml: "{{ lookup('file', temp_path ~ '/etc/kolla/globals.yml') | from_yaml }}"
             expected_variables:
               config_strategy: "COPY_ALWAYS"
+              kolla_user: "fake-user"
+              kolla_group: "fake-group"
               kolla_base_distro: "fake-distro"
               kolla_install_type: "fake-install-type"
               openstack_release: "fake-release"
diff --git a/ansible/roles/swift-setup/tasks/rings.yml b/ansible/roles/swift-setup/tasks/rings.yml
index af092aa36..3ecbca293 100644
--- a/ansible/roles/swift-setup/tasks/rings.yml
+++ b/ansible/roles/swift-setup/tasks/rings.yml
@@ -55,8 +55,8 @@
     src: "{{ swift_ring_build_path }}/{{ item[0] }}.{{ item[1] }}"
     dest: "{{ kolla_config_path }}/config/swift/{{ item[0] }}.{{ item[1] }}"
     remote_src: True
-    owner: kolla
-    group: kolla
+    owner: "{{ ansible_user_uid }}"
+    group: "{{ ansible_user_gid }}"
     mode: 0644
   with_nested:
     - "{{ swift_service_names }}"
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index ca588c0f8..3b208b342 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -141,6 +141,19 @@
 # Whether debug logging is enabled.
 #kolla_openstack_logging_debug:
 
+# Upper constraints file for installation of Kolla.
+#kolla_upper_constraints_file:
+
+# User account to use for Kolla SSH access.
+#kolla_ansible_user:
+
+# Primary group of Kolla SSH user.
+#kolla_ansible_group:
+
+# Whether to use privilege escalation for all operations performed via Kolla
+# Ansible.
+#kolla_ansible_become:
+
 ###############################################################################
 # Kolla feature flag configuration.
 
diff --git a/releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml b/releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml
new file mode 100644
index 000000000..60ab31552
--- /dev/null
+++ b/releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Adds support for configuration of the user used by Kolla Ansible for remote
+    execution. The user is configured via ``kolla_ansible_user``, its primary
+    group via ``kolla_ansible_group``, and ``kolla_ansible_become`` determines
+    whether privilege escalation is used by Kolla Ansible for all tasks or only
+    required tasks.