[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "Keystonehooks: Exclude 'novaobserver' user from posi...

Andrew Bogott (Code Review) Tue, 04 Apr 2017 14:30:06 -0700

Andrew Bogott has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/346451 )


Change subject: Revert "Keystonehooks: Exclude 'novaobserver' user from posix 
user group."
......................................................................

Revert "Keystonehooks: Exclude 'novaobserver' user from posix user group."

It turns out that ldap hates empty groups, so we need to leave
novaadmin in as a placeholder.  (And, note that the commit message
of the reverted patch is incorrect, it actually excluded novaadmin,
which this patch now replaces.)

This reverts commit a6c068d9b0318c9b3c8ac1c7fd8a3b7bb05f061b.

Change-Id: I596c71a315559664db275ee1047b93d342f585a1
---
M modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
1 file changed, 2 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/51/346451/1

diff --git 
a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py 
b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
index ecd693c..8f4bced 100644
--- a/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
+++ b/modules/openstack/files/liberty/keystone/wmfkeystonehooks/ldapgroups.py
@@ -117,10 +117,6 @@
 
 
 def sync_ldap_project_group(project_id, keystone_assignments):
-    # These are special users that exist only for nova and
-    #  keystone permissions.  No need to add them to posix groups.
-    exclude_users = set(['novaobserver', 'novaadmin'])
-
     groupname = "project-%s" % project_id.encode('utf-8')
     LOG.info("Syncing keystone project membership with ldap group %s"
              % groupname)
@@ -133,7 +129,8 @@
     for key in keystone_assignments:
         allusers |= set(keystone_assignments[key])
 
-    allusers -= exclude_users
+    if 'novaobserver' in allusers:
+        allusers.remove('novaobserver')
 
     basedn = cfg.CONF.wmfhooks.ldap_user_base_dn
     members = ["uid=%s,%s" % (user.encode('utf-8'), basedn)

-- 
To view, visit https://gerrit.wikimedia.org/r/346451
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I596c71a315559664db275ee1047b93d342f585a1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "Keystonehooks: Exclude 'novaobserver' user from posi...

Reply via email to