Fix permission denied during Fernet key rotation

During a deploy, if keystone Fernet key rotation happens before the keystone container starts, the rotation may fail with 'permission denied'. This happens because config.json for Keystone sets the permissions for /etc/keystone/fernet-keys. This change fixes the issue by also setting the permissions for /etc/keystone/fernet-keys in config.json for keystone-fernet and keystone-ssh. Change-Id: I561e4171d14dcaad8a2a9a36ccab84a670daa904 Closes-Bug: #1888512
2020-10-22 09:33:11 +01:00 · 2020-10-22 09:33:11 +01:00 · b45679f122
parent ffef1f2953
commit b45679f122
3 changed files with 21 additions and 0 deletions
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@ -50,5 +50,12 @@
            "owner": "keystone",
            "perm": "0600"
        }{% endif %}
+    ],
+    "permissions": [
+        {
+            "path": "/etc/keystone/fernet-keys",
+            "owner": "keystone:keystone",
+            "perm": "0770"
+        }
    ]
 }
--- a/ansible/roles/keystone/templates/keystone-ssh.json.j2
+++ b/ansible/roles/keystone/templates/keystone-ssh.json.j2
@ -13,5 +13,12 @@
            "owner": "keystone",
            "perm": "0600"
        }
+    ],
+    "permissions": [
+        {
+            "path": "/etc/keystone/fernet-keys",
+            "owner": "keystone:keystone",
+            "perm": "0770"
+        }
    ]
 }
--- a/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml
+++ b/releasenotes/notes/fix-keystone-fernet-perms-82632fb9e53ca3d5.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue where Keystone Fernet key rotation may fail due to
+    permission denied error if the Keystone rotation happens before the
+    Keystone container starts. `LP#1888512
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1888512>`__