Merge "Enabling support for Thales Luna user id and group id."

Zuul · openstack-gerrit · commit e0b7cb9d8b45 · 2025-05-06T07:45:46.000Z
diff --git a/docker/barbican/barbican-base/Dockerfile.j2 b/docker/barbican/barbican-base/Dockerfile.j2
@@ -7,7 +7,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
 
 {% import "macros.j2" as macros with context %}
 
-{{ macros.configure_user(name='barbican', groups='nfast') }}
+{{ macros.configure_user(name='barbican', groups='nfast,hsmusers') }}
 
 {{ macros.install_packages(barbican_base_packages | customizable("packages")) }}
 
diff --git a/kolla/common/users.py b/kolla/common/users.py
@@ -341,5 +341,9 @@
     'opensearch-dashboards-user': {
         'uid': 42492,
         'gid': 42492,
+    },
+    'hsmusers-user': {
+        'uid': 42493,  # This is not used, but the group ID is required.
+        'gid': 42493,
     }
 }
diff --git a/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml b/releasenotes/notes/fix-luna-hsm-deployment-permissions-issue-dfc2d8c92d2eaf57.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    Fixes a bug with Thales Luna HSM deployments.
+    The new client software version requires the use of a specific group
+    called "hsmusers", and for consistency reasons, we are specifying
+    both, the user id and the group id, and inserting the Barbican username
+    inside of such a group.
+    More information can be found at
+    `LP#Luna <https://www.thalesdocs.com/gphsm/luna/7/docs/pci/Content/install/client_install/linux_install.htm>`__

Original file line number	Diff line number	Diff line change
`@@ -341,5 +341,9 @@`
`341`	`341`	`'opensearch-dashboards-user': {`
`342`	`342`	`'uid': 42492,`
`343`	`343`	`'gid': 42492,`
	`344`	`+ },`
	`345`	`+ 'hsmusers-user': {`
	`346`	`+ 'uid': 42493, # This is not used, but the group ID is required.`
	`347`	`+ 'gid': 42493,`
`344`	`348`	`}`
`345`	`349`	`}`