From d85bc282b97a477e8944524019b5bb886cee71da Mon Sep 17 00:00:00 2001 From: Mauricio Harley Date: Thu, 24 Apr 2025 14:42:38 +0000 Subject: [PATCH] Enabling support for Thales Luna user id and group id. The new client software version requires the use of a specific group called "hsmusers", and for consistency reasons, we are specifying both, the user id and the group id, and inserting the Barbican username inside of such a group. More information can be found on https://www.thalesdocs.com/gphsm/luna/7/docs/pci/Content/install/client_install/linux_install.htm Change-Id: Ib7d0c879b3741ca472cd0bbf3a9a88a0fee25cac Signed-off-by: Mauricio Harley --- docker/barbican/barbican-base/Dockerfile.j2 | 2 +- kolla/common/users.py | 4 ++++ ...-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml | 10 ++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml diff --git a/docker/barbican/barbican-base/Dockerfile.j2 b/docker/barbican/barbican-base/Dockerfile.j2 index 057cfe08e4..b872a37d92 100644 --- a/docker/barbican/barbican-base/Dockerfile.j2 +++ b/docker/barbican/barbican-base/Dockerfile.j2 @@ -7,7 +7,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% import "macros.j2" as macros with context %} -{{ macros.configure_user(name='barbican', groups='nfast') }} +{{ macros.configure_user(name='barbican', groups='nfast,hsmusers') }} {{ macros.install_packages(barbican_base_packages | customizable("packages")) }} diff --git a/kolla/common/users.py b/kolla/common/users.py index 2675ae80a9..9468396e42 100644 --- a/kolla/common/users.py +++ b/kolla/common/users.py @@ -341,5 +341,9 @@ USERS = { 'opensearch-dashboards-user': { 'uid': 42492, 'gid': 42492, + }, + 'hsmusers-user': { + 'uid': 42493, # This is not used, but the group ID is required. + 'gid': 42493, } } diff --git a/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml b/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml new file mode 100644 index 0000000000..d1dbb66716 --- /dev/null +++ b/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + Fixes a bug with Thales Luna HSM deployments. + The new client software version requires the use of a specific group + called "hsmusers", and for consistency reasons, we are specifying + both, the user id and the group id, and inserting the Barbican username + inside of such a group. + More information can be found at + `LP#Luna `__