Use appropriate permissions for the keytab

A recent bug [0] and fix upstream no longer ensures that we use the tripleo-admin user as the ansible_ssh_user when invoking ansible playbooks against the undercloud. This means we need to update the keytab group to something else. Using root makes sense because the user invoking the overcloud installation should already have root access. In addition to changing the group, this patch updates the appropriate tasks so there run with `become: true`, allowing them to access the keytab. [0] https://bugs.launchpad.net/tripleo/+bug/1884123 Partial-Bug: 1886870 Change-Id: I523d17f48b8e49e28a1b3becfd5e0cdf044ff742
2020-07-08 14:48:56 -05:00 · 2020-07-08 14:48:56 -05:00 · d3d47118db
commit d3d47118db
parent 3f7a8c0347
4 changed files with 9 additions and 1 deletions
--- a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml
+++ b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml
@ -28,6 +28,7 @@
 - name: add dns zone
  ipa_dnszone:
    zone_name: "{{ zone_name }}"
+  become: true

 - name: add forward dns record
  ipa_dnsrecord:
@ -35,6 +36,7 @@
    record_name: "{{ record_name }}"
    record_type: "{{ record_type }}"
    record_value: "{{ record_value }}"
+  become: true

 - name: get reverse record data
  set_fact:
@ -59,6 +61,7 @@
  failed_when:
    - "'zone' not in reverse_zone_result"
    - "'already exists in DNS' not in reverse_zone_result.msg"
+  become: true

 - name: add reverse dns record
  ipa_dnsrecord:
@ -70,3 +73,4 @@
  failed_when:
    - "'record' not in reverse_record_result"
    - "'DNS zone not found' not in reverse_record_result.msg"
+  become: true
--- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml
@ -33,6 +33,7 @@

 - name: add main host to IPA with OTP
  when: enroll_base_server|bool
+  become: true
  block:
    - name: get host raw data and keytab info
      command: "ipa host-show --raw --all {{ base_server_fqdn }}"
--- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml
@ -36,6 +36,7 @@
    force: true
    state: present
    validate_certs: false
+  become: true

 - name: add service
  ipa_service:
@ -43,6 +44,7 @@
    force: true
    state: present
    validate_certs: false
+  become: true
  register: my_service

 - name: add host to managed_hosts if needed
@ -53,3 +55,4 @@
    state: present
    hosts: "{{ my_service['host']['managedby_host'] + [ base_server_fqdn ] }}"
    validate_certs: false
+  become: true
--- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml
+++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml
@ -23,7 +23,7 @@
  set_fact:
    nova_service: "nova/{{ undercloud_fqdn }}"
    nova_keytab: "/etc/novajoin/krb5.keytab"
-    nova_keytab_group: "tripleo-admin"
+    nova_keytab_group: "root"

 - name: add directory for keytab
  file: