Set correct ownership for nova keytab
Nova user's keytab is now owned by root, making it impossible for the nova user to read when contacting IPA through novajoin. Change-Id: I3ee7cb9b396301ec8714a3cf0c8ab169750c1857
This commit is contained in:
parent
da49892975
commit
861cf4fd57
|
@ -103,7 +103,7 @@ class nova::metadata::novajoin::api (
|
|||
$ipa_domain = undef,
|
||||
$join_listen_port = $::os_service_default,
|
||||
$keystone_auth_url = 'http://127.0.0.1:35357/',
|
||||
$keytab = $::os_service_default,
|
||||
$keytab = '/etc/nova/krb5.keytab',
|
||||
$log_dir = '/var/log/novajoin',
|
||||
$manage_service = true,
|
||||
$nova_user = 'nova',
|
||||
|
@ -187,11 +187,13 @@ class nova::metadata::novajoin::api (
|
|||
|
||||
exec { 'get-service-user-keytab':
|
||||
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
||||
-p nova/${::fqdn} -k /etc/nova/krb5.keytab",
|
||||
creates => '/etc/nova/krb5.keytab',
|
||||
-p nova/${::fqdn} -k ${keytab}",
|
||||
creates => $keytab,
|
||||
require => Package['python-novajoin']
|
||||
}
|
||||
|
||||
ensure_resource('file', $keytab, { owner => $nova_user, require => Exec['get-service-user-keytab'] })
|
||||
|
||||
Novajoin_config<||> ~> Service<| title == 'nova-api'|>
|
||||
Exec['get-service-user-keytab'] ~> Service['novajoin-server']
|
||||
Exec['get-service-user-keytab'] ~> Service['novajoin-notify']
|
||||
|
|
|
@ -25,7 +25,7 @@ describe 'nova::metadata::novajoin::api' do
|
|||
:enable_ipa_client_install => true,
|
||||
:ensure_package => 'present',
|
||||
:join_listen_port => '<SERVICE DEFAULT>',
|
||||
:keytab => '<SERVICE DEFAULT>',
|
||||
:keytab => '/etc/nova/krb5.keytab',
|
||||
:log_dir => '/var/log/novajoin',
|
||||
:manage_service => true,
|
||||
:nova_user => 'nova',
|
||||
|
@ -121,9 +121,15 @@ describe 'nova::metadata::novajoin::api' do
|
|||
it 'is_expected.to get service user keytab' do
|
||||
is_expected.to contain_exec('get-service-user-keytab').with(
|
||||
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
|
||||
-p nova/undercloud.example.com -k /etc/nova/krb5.keytab",
|
||||
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
|
||||
)
|
||||
end
|
||||
|
||||
it { is_expected.to contain_file("#{param_hash[:keytab]}").with(
|
||||
'owner' => "#{param_hash[:nova_user]}",
|
||||
'require' => 'Exec[get-service-user-keytab]',
|
||||
)}
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue