upstream/openstack/keystone/debian/patches
Carmen Rata eb557c0450 Set keyring dir group ownership on password change
This commit changes the group ownership for "/opt/platform/.keyring"
directory, and its subdirectories and files, from "root" to
'sys_protected', when keystone password changes for the admin user.
The 'sys_protected' group ownership is needed to support access
privileges for OpenLDAP/WAD users and is implemented by the ansible
bootstrap configuration.
The group ownership update in this commit is required because after
a keystone and corresponding keyring password change for the admin
user, the group ownership of the "/opt/platform/.keyring" directory
has been reset to "root".
As a consequence, a ldap user loses permission to access files in
that directory.
The group ownership reset is done in the keystone package.
That is why the fix for this bug is delivered as a patch for the
keystone package.

Test Plan:
PASS: Verify the keystone patch install correctly.
PASS: Verify the group ownership was applied correctly
for files in "/opt/platform/.keyring" so are part of the
"sys_protected" group before changing keystone password for the admin
user.
PASS: Verify the group ownership for files in "/opt/platform/.keyring"
remains "sys_protected" after changing keystone password for the admin
user.
PASS: Verify that an openldap user that is part of the "sys_protected"
group can execute command: "source /etc/platform/openrc" after the
keystone password has been changed for the admin user.

Closes-Bug: 2039870

Change-Id: I0360d1f13725cca9900b967c32451fc6f7afe761
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
2023-10-20 02:57:36 +00:00
..
0001-Support-storing-users-in-keyring.patch Add support to keystone to store users in keyring on Debian 2022-04-09 16:03:20 +00:00
0002-change-group-perm-to-keyring-dir.patch Set keyring dir group ownership on password change 2023-10-20 02:57:36 +00:00
series Set keyring dir group ownership on password change 2023-10-20 02:57:36 +00:00