Diff for keystone 2012.1.1-7, trying to fix RC bug #687311
Hi,
At this point of the release, and in order not to upload whatever stupid
stuff not fixing everything, I wouldn't be against a quick review of the
attached diff (and the rest of debconf handling) by some experienced DD,
because I don't think I'm fixing all problems here.
FYI, you can also get the Git from:
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=openstack/keystone.git
Vcs-Git: git://anonscm.debian.org/openstack/keystone.git
I believe that the handling of the admin_token variable in keystone.conf
is now correct (it wasn't before as admin changes in it where not
updating debconf variables), but I'm not sure about the dbconfig-common
(for which I have only a limited experience). Is there a way to tell
dbconfig-common when the user changed the db back-end in his
keystone.conf for example?
Current diff between version -6 and -7 is attached. Comments welcome.
Cheers,
Thomas Goirand (zigo)
diff --git a/debian/changelog b/debian/changelog
index cbc8543..37519fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+keystone (2012.1.1-7) unstable; urgency=low
+
+ * Fixes band handling (eg: policy violation) of keystone.conf which was
+ conffiles, but changed in the posinst (Closes: #687311).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 12 Sep 2012 17:09:47 +0000
+
keystone (2012.1.1-6) unstable; urgency=high
* CVE-2012-4413: Revoking a role does not affect existing tokens
diff --git a/debian/keystone.config b/debian/keystone.config
index 84aad01..f41c2d4 100644
--- a/debian/keystone.config
+++ b/debian/keystone.config
@@ -3,6 +3,14 @@ set -e
. /usr/share/debconf/confmodule
+KEY_CONF=/etc/keystone/keystone.conf
+
+if [ -e "${KEY_CONF}" ] ; then
+ KEY_CONF_AUTH_TOKEN=`grep -E "([ \t])*admin_token([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ if [ -n "${KEY_CONF_AUTH_TOKEN}" ] ; then
+ db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN}
+ fi
+fi
db_input low keystone/auth-token || true
db_input low keystone/configure_db || true
db_go
diff --git a/debian/keystone.install b/debian/keystone.install
index 9dfb505..26d1053 100644
--- a/debian/keystone.install
+++ b/debian/keystone.install
@@ -1,2 +1,4 @@
usr/bin/*
-etc/* etc/keystone
\ No newline at end of file
+etc/default_catalog.templates /etc/keystone
+etc/logging.conf.sample /usr/share/doc/keystone
+etc/policy.json /etc/keystone
diff --git a/debian/keystone.postinst b/debian/keystone.postinst
index 9692a90..b97c9a6 100755
--- a/debian/keystone.postinst
+++ b/debian/keystone.postinst
@@ -13,6 +13,13 @@ then
--disabled-password \
--group keystone
+ # Create config files if they don't exist
+ if ! [ -e /etc/keystone ] ; then
+ mkdir /etc/keystone
+ fi
+ if ! [ -e /etc/keystone/keystone.conf ] ; then
+ cp /usr/share/doc/keystone/keystone.conf.sample /etc/nova/keystone.conf
+ fi
db_get keystone/configure_db
if [ "$RET" = "true" ]; then
@@ -54,12 +61,9 @@ then
fi
fi
- if [ -z "$2" ]
- then
- db_get keystone/auth-token
- AUTH_TOKEN=${RET:-ADMIN}
- sed -s "s,^admin_token = ADMIN,admin_token = $AUTH_TOKEN," -i /etc/keystone/keystone.conf
- fi
+ db_get keystone/auth-token
+ AUTH_TOKEN=${RET:-ADMIN}
+ sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = ADMIN|' /etc/keystone/keystone.conf
chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
chmod 0750 /etc/keystone
diff --git a/debian/keystone.postrm b/debian/keystone.postrm
index ca5d17f..402b5e3 100644
--- a/debian/keystone.postrm
+++ b/debian/keystone.postrm
@@ -20,6 +20,7 @@ case "$1" in
purge)
rm -rf /var/log/keystone
rm -rf /var/lib/keystone
+ rm -rf /etc/keystone
esac
#DEBHELPER#
diff --git a/debian/rules b/debian/rules
index 2f33685..a65662a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -42,6 +42,7 @@ override_dh_install:
rm -rf debian/python-keystone/usr/lib/python*/*/doc
rm -rf debian/python-keystone/usr/lib/python*/*/tools
rm -rf debian/python-keystone/usr/lib/python*/*/examples
+ cp -f etc/keystone.conf /usr/share/doc/keystone/keystone.conf.sample
override_dh_clean:
rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
Reply to: