diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data index 898fe26d9..c428b1f1d 100644 --- a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data +++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data @@ -1 +1 @@ -TIS_PATCH_VER=8 +TIS_PATCH_VER=9 diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch new file mode 100644 index 000000000..b596409f3 --- /dev/null +++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0007-update-Barbican-admin-secret-s-user-project-IDs.patch @@ -0,0 +1,33 @@ +From a53d9bfc15e1d24a604fcc461f9a6e1483ed262d Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Mon, 4 Nov 2019 20:51:22 -0500 +Subject: [PATCH 1/1] update Barbican admin secret's user/project IDs + +Signed-off-by: Andy Ning +--- + SPECS/puppet-keystone.spec | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/SPECS/puppet-keystone.spec b/SPECS/puppet-keystone.spec +index 5b5e255..ae233f0 100644 +--- a/SPECS/puppet-keystone.spec ++++ b/SPECS/puppet-keystone.spec +@@ -15,6 +15,7 @@ Patch0002: 0002-remove-the-Keystone-admin-app.patch + Patch0003: 0003-remove-eventlet_bindhost-from-Keystoneconf.patch + Patch0004: 0004-escape-special-characters-in-bootstrap.patch + Patch0005: 0005-Add-support-for-fernet-receipts.patch ++Patch0006: 0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch + + BuildArch: noarch + +@@ -37,6 +38,7 @@ Puppet module for OpenStack Keystone + %patch0003 -p1 + %patch0004 -p1 + %patch0005 -p1 ++%patch0006 -p1 + + find . -type f -name ".*" -exec rm {} + + find . -size 0 -exec rm {} + +-- +1.8.3.1 + diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER index be22cf58c..ce35c5e99 100644 --- a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER +++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER @@ -4,3 +4,4 @@ 0004-remove-eventlet_and_bindhost-from-keystoneconf.patch 0005-escape-special-characters-in-bootstrap.patch 0006-Add-support-for-fernet-receipts.patch +0007-update-Barbican-admin-secret-s-user-project-IDs.patch diff --git a/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch new file mode 100644 index 000000000..0132b487f --- /dev/null +++ b/config/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0006-update-Barbican-admin-secret-s-user-project-IDs-duri.patch @@ -0,0 +1,63 @@ +From 60f023e20c7e1f98d1f71fb04e829a3ff0477f65 Mon Sep 17 00:00:00 2001 +From: Andy Ning +Date: Mon, 4 Nov 2019 20:20:28 -0500 +Subject: [PATCH 1/1] update Barbican admin secret's user/project IDs during + bootstrap + +In a DC system when subcloud is managed, keystone user/project IDs are +synced with Central Cloud, including admin user and project. But the +admin's secrets in Barbian still use the original user/project IDs, +causing docker registry access failure when platform-integ-apps is +reapplied. + +This updated keystone admin user/project IDs to be the same as Central +Cloud right after keystone is bootstrapped during subcloud deployment. +This way any referece to admin user/project IDs after bootstrap will be +using the IDs same as Central Cloud, including the ones in Barbican. +This will solve the problem of registry access failure issue. + +Closes-Bug: 1851247 +Signed-off-by: Andy Ning +--- + manifests/init.pp | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/manifests/init.pp b/manifests/init.pp +index 7bb0094..421259c 100644 +--- a/manifests/init.pp ++++ b/manifests/init.pp +@@ -791,6 +791,8 @@ class keystone( + $rabbit_port = $::os_service_default, + $rabbit_userid = $::os_service_default, + $rabbit_virtual_host = $::os_service_default, ++ $dc_admin_user_id = undef, ++ $dc_admin_project_id = undef, + ) inherits keystone::params { + + include ::keystone::deps +@@ -1311,6 +1313,22 @@ running as a standalone service, or httpd for being run by a httpd server") + subscribe => Anchor['keystone::dbsync::end'], + tag => 'keystone-exec', + } ++ ++ if $dc_admin_user_id and $dc_admin_project_id { ++ exec { 'update keystone admin assignment actor_id': ++ command => "sudo -u postgres psql -d keystone -c \"update public.assignment set actor_id='$dc_admin_user_id' from public.local_user where public.assignment.actor_id=public.local_user.user_id and public.local_user.name='admin'\"", ++ require => Exec['keystone-manage bootstrap'], ++ } ++ -> exec { 'update keystone admin assignment target_id': ++ command => "sudo -u postgres psql -d keystone -c \"update public.assignment set target_id='$dc_admin_project_id' from public.project where public.assignment.target_id=public.project.id and public.project.name='admin'\"", ++ } ++ -> exec { 'update keystone admin user id': ++ command => "sudo -u postgres psql -d keystone -c \"update public.user set id='$dc_admin_user_id' from public.local_user where public.user.id=public.local_user.user_id and public.local_user.name='admin'\"", ++ } ++ -> exec { 'update keystone admin project id': ++ command => "sudo -u postgres psql -d keystone -c \"update public.project set id='$dc_admin_project_id' where name='admin'\"", ++ } ++ } + } + + # WRS: Now that the keystone service has started, +-- +1.8.3.1 +