Merge "[Train-only] Added 'Modify Realm Domains' privilege to nova hosts" into stable/train

2022-09-21 20:45:14 +00:00 · 2022-09-21 20:45:14 +00:00 · e41a4c54ec
parent 0f060bcc01 759a5bebe8
commit e41a4c54ec
4 changed files with 43 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -334,3 +334,8 @@ rhsm_overcloud_env: ''
 # nic prefix used when renaming network interfaces
 # if the environment uses unpredictable interfaces  name.
 nic_prefix: "em"
+
+# freeipa admin password
+# we need to make sure this password matches with the passwd
+# define in tls-everywhere role
+freeipa_admin_password: 12345678
--- a/tasks/update/create-undercloud-update-scripts.yaml
+++ b/tasks/update/create-undercloud-update-scripts.yaml
@ -20,3 +20,10 @@
    - 'pre_undercloud_update_workarounds'
    - 'post_undercloud_update_workarounds'
  when: updates_workarounds|bool
+
+- name: create IPA permission script
+  template:
+    src: ipa-permission.sh.j2
+    dest: "{{ working_dir }}/ipa-permission.sh"
+    mode: 0775
+    force: true
--- a/tasks/update/main.yml
+++ b/tasks/update/main.yml
@ -21,6 +21,21 @@
      tags:
        - undercloud_update

+    - name: Check for IdM/FreeIPA host configuration
+      stat:
+        path: /etc/ipa/default.conf
+      register: ipa_conf_stat
+
+    # 'System: Modify Realm Domains' permission is required. Check OSP-17785
+    - name: IPA permission
+      shell: |
+          set -o pipefail
+          ./ipa-permission.sh 2>&1  {{ timestamper_cmd }} >> \
+            ipa-permission.log
+      args:
+        executable: /usr/bin/bash
+      when: ipa_conf_stat.stat.exists
+
    - name: install/update required packages before updating the undercloud
      become: true
      become_user: root
--- a/templates/ipa-permission.sh.j2
+++ b/templates/ipa-permission.sh.j2
@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# This script make we we have 'System: Modify Realm Domains' privilege
+# set on 'Nova Host Management'
+
+set -o pipefail
+
+echo {{ freeipa_admin_password }} | kinit admin
+
+ipa privilege-show 'Nova Host Management' --all --raw | grep "memberof: cn=System: Modify Realm Domains"
+rc=$?
+if [ $rc -ne 0]; then
+    ipa privilege-add-permission 'Nova Host Management' --permission 'System: Modify Realm Domains'
+else
+    echo "Privilege already added"
+fi