From d3d47118db8818cfd91e57ec10cb2a4b3a8bcde4 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 8 Jul 2020 14:48:56 -0500 Subject: [PATCH] Use appropriate permissions for the keytab A recent bug [0] and fix upstream no longer ensures that we use the tripleo-admin user as the ansible_ssh_user when invoking ansible playbooks against the undercloud. This means we need to update the keytab group to something else. Using root makes sense because the user invoking the overcloud installation should already have root access. In addition to changing the group, this patch updates the appropriate tasks so there run with `become: true`, allowing them to access the keytab. [0] https://bugs.launchpad.net/tripleo/+bug/1884123 Partial-Bug: 1886870 Change-Id: I523d17f48b8e49e28a1b3becfd5e0cdf044ff742 --- tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml | 4 ++++ tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml | 1 + tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml | 3 +++ .../roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml index 84650aa..f39ef2c 100644 --- a/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml +++ b/tripleo_ipa/roles/tripleo_ipa_dns/tasks/dns.yaml @@ -28,6 +28,7 @@ - name: add dns zone ipa_dnszone: zone_name: "{{ zone_name }}" + become: true - name: add forward dns record ipa_dnsrecord: @@ -35,6 +36,7 @@ record_name: "{{ record_name }}" record_type: "{{ record_type }}" record_value: "{{ record_value }}" + become: true - name: get reverse record data set_fact: @@ -59,6 +61,7 @@ failed_when: - "'zone' not in reverse_zone_result" - "'already exists in DNS' not in reverse_zone_result.msg" + become: true - name: add reverse dns record ipa_dnsrecord: @@ -70,3 +73,4 @@ failed_when: - "'record' not in reverse_record_result" - "'DNS zone not found' not in reverse_record_result.msg" + become: true diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml index 69d1d02..1d89b7b 100644 --- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml +++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/main.yml @@ -33,6 +33,7 @@ - name: add main host to IPA with OTP when: enroll_base_server|bool + become: true block: - name: get host raw data and keytab info command: "ipa host-show --raw --all {{ base_server_fqdn }}" diff --git a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml index 2d5c624..ff1946e 100644 --- a/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml +++ b/tripleo_ipa/roles/tripleo_ipa_registration/tasks/services.yml @@ -36,6 +36,7 @@ force: true state: present validate_certs: false + become: true - name: add service ipa_service: @@ -43,6 +44,7 @@ force: true state: present validate_certs: false + become: true register: my_service - name: add host to managed_hosts if needed @@ -53,3 +55,4 @@ state: present hosts: "{{ my_service['host']['managedby_host'] + [ base_server_fqdn ] }}" validate_certs: false + become: true diff --git a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml index d5ac629..ab29172 100644 --- a/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml +++ b/tripleo_ipa/roles/tripleo_ipa_setup/tasks/get_ipa_user_keytab.yml @@ -23,7 +23,7 @@ set_fact: nova_service: "nova/{{ undercloud_fqdn }}" nova_keytab: "/etc/novajoin/krb5.keytab" - nova_keytab_group: "tripleo-admin" + nova_keytab_group: "root" - name: add directory for keytab file: