Fix permission denied during Fernet key rotation

During a deploy, if keystone Fernet key rotation happens before the
keystone container starts, the rotation may fail with 'permission
denied'. This happens because config.json for Keystone sets the
permissions for /etc/keystone/fernet-keys.

This change fixes the issue by also setting the permissions for
/etc/keystone/fernet-keys in config.json for keystone-fernet and
keystone-ssh.

Change-Id: I561e4171d14dcaad8a2a9a36ccab84a670daa904
Closes-Bug: #1888512
This commit is contained in:
Mark Goddard 2020-10-22 09:33:11 +01:00
parent ffef1f2953
commit b45679f122
3 changed files with 21 additions and 0 deletions

View File

@ -50,5 +50,12 @@
"owner": "keystone",
"perm": "0600"
}{% endif %}
],
"permissions": [
{
"path": "/etc/keystone/fernet-keys",
"owner": "keystone:keystone",
"perm": "0770"
}
]
}

View File

@ -13,5 +13,12 @@
"owner": "keystone",
"perm": "0600"
}
],
"permissions": [
{
"path": "/etc/keystone/fernet-keys",
"owner": "keystone:keystone",
"perm": "0770"
}
]
}

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixes an issue where Keystone Fernet key rotation may fail due to
permission denied error if the Keystone rotation happens before the
Keystone container starts. `LP#1888512
<https://bugs.launchpad.net/kolla-ansible/+bug/1888512>`__