Merge "Enabling support for Thales Luna user id and group id."

2025-05-06 07:45:46 +00:00 · 2025-05-06 07:45:46 +00:00 · e0b7cb9d8b
commit e0b7cb9d8b
parent acbaec3ee1 d85bc282b9
3 changed files with 15 additions and 1 deletions
--- a/docker/barbican/barbican-base/Dockerfile.j2
+++ b/docker/barbican/barbican-base/Dockerfile.j2
@ -7,7 +7,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build

 {% import "macros.j2" as macros with context %}

-{{ macros.configure_user(name='barbican', groups='nfast') }}
+{{ macros.configure_user(name='barbican', groups='nfast,hsmusers') }}

 {{ macros.install_packages(barbican_base_packages | customizable("packages")) }}

--- a/kolla/common/users.py
+++ b/kolla/common/users.py
@ -341,5 +341,9 @@ USERS = {
    'opensearch-dashboards-user': {
        'uid': 42492,
        'gid': 42492,
+    },
+    'hsmusers-user': {
+        'uid': 42493,  # This is not used, but the group ID is required.
+        'gid': 42493,
    }
 }
--- a/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml
+++ b/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml
@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    Fixes a bug with Thales Luna HSM deployments.
+    The new client software version requires the use of a specific group
+    called "hsmusers", and for consistency reasons, we are specifying
+    both, the user id and the group id, and inserting the Barbican username
+    inside of such a group.
+    More information can be found at
+    `LP#Luna <https://www.thalesdocs.com/gphsm/luna/7/docs/pci/Content/install/client_install/linux_install.htm>`__