diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
index 4b639fe1f9b042b835ce13547183764623ad4dc4..4a282fb614c210b169e2eb516ea6f0b28591b477 100644
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@@ -298,6 +298,16 @@ kolla_openstack_logging_debug: "False"
# Upper constraints file for installation of Kolla.
kolla_upper_constraints_file: "https://raw.githubusercontent.com/openstack/requirements/stable/queens/upper-constraints.txt"
+# User account to use for Kolla SSH access.
+kolla_ansible_user: kolla
+
+# Primary group of Kolla SSH user.
+kolla_ansible_group: kolla
+
+# Whether to use privilege escalation for all operations performed via Kolla
+# Ansible.
+kolla_ansible_become: true
+
###############################################################################
# Kolla feature flag configuration.
diff --git a/ansible/kolla-target-venv.yml b/ansible/kolla-target-venv.yml
index e9bde2c055c35701505c97cab6f737ae9178262a..af15dd443b4ce69a145bcd3c0ad1ce7b1fe7b11b 100644
--- a/ansible/kolla-target-venv.yml
+++ b/ansible/kolla-target-venv.yml
@@ -39,7 +39,7 @@
path: "{{ kolla_ansible_target_venv }}"
recurse: True
state: directory
- owner: kolla
- group: kolla
+ owner: "{{ kolla_ansible_user }}"
+ group: "{{ kolla_ansible_group }}"
become: True
when: kolla_ansible_target_venv is not none
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index 3f7e5e32030e03c05cbb3a14edac7ebc0adc3488..51b4600e9992cca14f687a9e7bb45a42f9abf611 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -38,6 +38,16 @@ kolla_node_custom_config_path:
# Path to kolla-ansible passwords.yml input file.
kolla_ansible_passwords_path:
+# User account to use for Kolla SSH access.
+kolla_ansible_user: kolla
+
+# Primary group of Kolla SSH user.
+kolla_ansible_group: kolla
+
+# Whether to use privilege escalation for all operations performed via Kolla
+# Ansible.
+kolla_ansible_become: true
+
###############################################################################
# Kolla-ansible inventory configuration.
diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 4e8642b4dc5eac6aae5b564ffb6c6aced973edfd..c9d54e77ce514116bd181f71937ad31788de0ecf 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -48,6 +48,12 @@ kolla_external_vip_address: "{{ kolla_external_vip_address }}"
# kolla_external_vip_address.
kolla_external_fqdn: "{{ kolla_external_fqdn }}"
+# User account to use for Kolla SSH access.
+kolla_user: "{{ kolla_ansible_user }}"
+
+# Primary group of Kolla SSH user.
+kolla_group: "{{ kolla_ansible_group }}"
+
################
# Docker options
################
diff --git a/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2 b/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2
index 25379f8c888ca694f08b5a82d13705882be1b68c..dadf1f1545c1a257adac4bdef6e9f98aeeb62d37 100644
--- a/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2
+++ b/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2
@@ -28,8 +28,10 @@
{% endfor %}
[overcloud:vars]
-ansible_user=kolla
+ansible_user={{ kolla_ansible_user }}
+{% if kolla_ansible_become | bool %}
ansible_become=true
+{% endif %}
{% if kolla_ansible_target_venv is not none %}
# Execute ansible modules on the remote target hosts using a virtualenv.
ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python
diff --git a/ansible/roles/kolla-ansible/templates/seed.j2 b/ansible/roles/kolla-ansible/templates/seed.j2
index 20f8266949fbe3a6d54db6b2594c0172f368d486..bc66951c8e298b77fca4452419c9fb42d44f0be5 100644
--- a/ansible/roles/kolla-ansible/templates/seed.j2
+++ b/ansible/roles/kolla-ansible/templates/seed.j2
@@ -6,7 +6,7 @@
{% endfor %}
[seed:vars]
-ansible_user=kolla
+ansible_user={{ kolla_ansible_user }}
{% if kolla_ansible_target_venv is not none %}
# Execute ansible modules on the remote target hosts using a virtualenv.
ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python
diff --git a/ansible/roles/kolla-ansible/tests/test-defaults.yml b/ansible/roles/kolla-ansible/tests/test-defaults.yml
index 6cb61e23fe2c272f4abcd13bbafb5dcd047aae44..c20daf845cbd43780b16a6ff89871cc2906a5d59 100644
--- a/ansible/roles/kolla-ansible/tests/test-defaults.yml
+++ b/ansible/roles/kolla-ansible/tests/test-defaults.yml
@@ -97,6 +97,8 @@
kolla_enable_tls_external: False
kolla_external_fqdn_cert: "fake-cert"
openstack_logging_debug: False
+ kolla_user: "kolla"
+ kolla_group: "kolla"
- name: Validate variables are absent from globals.yml
assert:
diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml
index f7afc08ac6e73e66d34e13a005c0f9232141f3ac..96219798a1d3f1d0a813b59e3e7e4b5aab8ca7d8 100644
--- a/ansible/roles/kolla-ansible/tests/test-extras.yml
+++ b/ansible/roles/kolla-ansible/tests/test-extras.yml
@@ -23,6 +23,8 @@
kolla_node_custom_config_path: "{{ temp_path }}/etc/kolla/config"
kolla_ansible_passwords_path: "{{ temp_path }}/passwords.yml"
# Config.
+ kolla_ansible_user: "fake-user"
+ kolla_ansible_group: "fake-group"
kolla_base_distro: "fake-distro"
kolla_install_type: "fake-install-type"
kolla_docker_namespace: "fake-namespace"
@@ -167,6 +169,8 @@
globals_yml: "{{ lookup('file', temp_path ~ '/etc/kolla/globals.yml') | from_yaml }}"
expected_variables:
config_strategy: "COPY_ALWAYS"
+ kolla_user: "fake-user"
+ kolla_group: "fake-group"
kolla_base_distro: "fake-distro"
kolla_install_type: "fake-install-type"
openstack_release: "fake-release"
diff --git a/ansible/roles/swift-setup/tasks/rings.yml b/ansible/roles/swift-setup/tasks/rings.yml
index af092aa3614b772164e5e9945bfd24b4f9aaab32..3ecbca293697e9d38b7d6f010af88c06774f46e5 100644
--- a/ansible/roles/swift-setup/tasks/rings.yml
+++ b/ansible/roles/swift-setup/tasks/rings.yml
@@ -55,8 +55,8 @@
src: "{{ swift_ring_build_path }}/{{ item[0] }}.{{ item[1] }}"
dest: "{{ kolla_config_path }}/config/swift/{{ item[0] }}.{{ item[1] }}"
remote_src: True
- owner: kolla
- group: kolla
+ owner: "{{ ansible_user_uid }}"
+ group: "{{ ansible_user_gid }}"
mode: 0644
with_nested:
- "{{ swift_service_names }}"
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index ca588c0f81e08f82422bcf43a8c6e16e2c93736a..3b208b342dc0c9926c7f29faa7ed981e4394eac8 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -141,6 +141,19 @@
# Whether debug logging is enabled.
#kolla_openstack_logging_debug:
+# Upper constraints file for installation of Kolla.
+#kolla_upper_constraints_file:
+
+# User account to use for Kolla SSH access.
+#kolla_ansible_user:
+
+# Primary group of Kolla SSH user.
+#kolla_ansible_group:
+
+# Whether to use privilege escalation for all operations performed via Kolla
+# Ansible.
+#kolla_ansible_become:
+
###############################################################################
# Kolla feature flag configuration.
diff --git a/releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml b/releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..60ab315523ded5de8f273bd8455bedbd1e1d19ae
--- /dev/null
+++ b/releasenotes/notes/kolla-user-group-85bbe8038c3f719c.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Adds support for configuration of the user used by Kolla Ansible for remote
+ execution. The user is configured via ``kolla_ansible_user``, its primary
+ group via ``kolla_ansible_group``, and ``kolla_ansible_become`` determines
+ whether privilege escalation is used by Kolla Ansible for all tasks or only
+ required tasks.