Our playbooks depend on the keystone user being able to login,
but keystone isn't a member of the allowedgroups for ssh. This
fixes that and optimistically adds ironic as well.
signed-off-by: dave kormann <davek@research.att.com>
Change-Id: Ia20065deab4ae4087e3a5918e891a2b73f5cbbed
regexp: '[\s]*ClientAliveCountMax'
values: "ClientAliveCountMax 0\n"
regexp: '[\s]*ClientAliveCountMax'
values: "ClientAliveCountMax 0\n"
-- name: "Limit logins to members of {{ users['admin_user_name'] }} group"
+- name: "Limit logins to members of admin, keystone, and ironic groups"
ssh_conf:
regexp: '[\s]*AllowGroups'
ssh_conf:
regexp: '[\s]*AllowGroups'
- values: "AllowGroups {{ users['admin_user_name'] }}\n"
+ values: "AllowGroups {{ users['admin_user_name'] }} {{ keystone_system_group_name |default('keystone') }} {{ ironic_system_group_name | default('ironic') }}\n"
- name: "Disable SSH Support for User Known Hosts"
ssh_conf:
- name: "Disable SSH Support for User Known Hosts"
ssh_conf: