Comment 2 for bug 2052011

Hi,

I finally got some time to work on this issue.

Looking at my sandbox right now, I think there're 2 different issues right now.

First one, which is obviously wrong, is regarding wrong permissions set for `openstack_dashboard/local/` folder. And this one I will fix right away.

The second part is regarding .secret_key_store specifically. This is actually a bit different. In a default template of user_secrets.yml we do have `horizon_secret_key` variable, which is expected to be populated during initial setup:
https://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/user_secrets.yml#L136

This variable is then used to define the `SECRET_KEY` and ensures, that such key will be the same across all backends.

However, if the variable `horizon_secret_key` is not defined, the suggested by horizon approach will be used, which is to place .secret_key_store under LOCAL_PATH:
https://docs.openstack.org/horizon/latest/configuration/settings.html#secret-key

Which is exactly what we are doing:
https://opendev.org/openstack/openstack-ansible-os_horizon/src/commit/d4ef66fc028477709d6e4bd36a2bb39c957c3eae/templates/horizon_local_settings.py.j2#L140-L154

You should be also able to define any arbitrary path for the secret key, by leveraging `horizon_config_overrides` variable, for example:

horizon_config_overrides:
  SECRET_KEY: secret_key.generate_or_read_from_file('/var/cache/.secret_key_store')

But for multi-backend setup I'd suggest to use `horizon_secret_key` as secret key should be the same across all workers.