From 9cb9618dc96130f716314625aa3fce4cf2a34ef4 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 9 Jul 2020 08:05:40 -0500
Subject: [PATCH] Update undercloud TLS template with proper keytab group

The undercloud supports enrolling itself as a FreeIPA client when
configured to use TLS-everywhere. However, we recently hit a bug where
the group permissions of the keytab were set to the old mistral user
(tripleo-admin). This causes issues because more or what mistral did is
being handled by ansible and the deployment user.

This commit updates the group for the keytab to root, which the
deployment users is already a member of. This keeps permission of the
keytab strict but doesn't compromise usability by modifying the group in
a way that requires the deployment user to re-authenticate to access it.

Change-Id: Iacf5e6147f7ef02ba514b7dddc65383faa440826
Closes-Bug: 1886870
---
 deployment/tls/undercloud-tls.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/deployment/tls/undercloud-tls.yaml b/deployment/tls/undercloud-tls.yaml
index 8c35f41ad4..9114598d49 100644
--- a/deployment/tls/undercloud-tls.yaml
+++ b/deployment/tls/undercloud-tls.yaml
@@ -74,7 +74,6 @@ outputs:
           set_fact:
             nova_service: "nova/{{ ansible_facts['nodename'] }}"
             nova_keytab: "/etc/novajoin/krb5.keytab"
-            nova_keytab_group: "tripleo-admin"
         - name: Add directory for keytab
           file:
             path: "/etc/novajoin"
@@ -92,5 +91,5 @@ outputs:
         - name: Set permissions on keytab
           file:
             path: "{{ nova_keytab }}"
-            group: "{{ nova_keytab_group }}"
+            group: "root"
             mode: "g+r"