Bug 1313054
| Summary: | [RFE] Allow changing passwords for overcloud OpenStack "admin" or service users | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Pablo Caruana <pcaruana> |
| Component: | rhosp-director | Assignee: | Angus Thomas <athomas> |
| Status: | CLOSED DUPLICATE | QA Contact: | Arik Chernetsky <achernet> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 (Kilo) | CC: | ayoung, cchen, dbecker, dprince, jbuchta, jcoufal, kbasil, mburns, mcornea, morazi, mtessun, nkinder, pablo.iranzo, rcritten, rhel-osp-director-maint |
| Target Milestone: | Upstream M3 | Keywords: | FutureFeature |
| Target Release: | 12.0 (Pike) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-20 18:09:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1339506 | ||
|
Description
Pablo Caruana
2016-02-29 20:03:42 UTC
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10. Is this possible in Tripleo? To regenerate the generated passwords when doing a redeploy? It is not Keystone specific, as the same kind of thing would be needed for Rabbit, and for databases. Using the CLI most users would get initial passwords generated via python-tripleoclient. These CLI passwords can be overridden by environment variables on the CLI by specifying something like (for glance) OVERCLOUD_GLANCE_PASSWORD. Python-tripleoclient uses these environment variables to construct a heat environment to set all of these passwords. If an end user wanted to change a password for one of the services (manually) and have it re-deployed via Heat then one could create a custom Heat environment file and append it onto the 'overcloud deploy' command with a -e. So something like: parameters_defaults: GlancePassword: fooboar This would set the Glance password to the hard coded value above. All of this works today and should allow changing passwords driven via Heat. The tricker parts of this are where these passwords apply to keystone and or mysql database settings that also need to be update. In some cases the puppet providers should take care of updating passwords for these services accordingly. In others there may be manual changes required for cluster type password changes and there is probably still feature work to do on this front (Rabbit and Mysql password changes for example). Hi Dan, It seems that AdminPassword can not be set in this way. parameter_defaults: AdminPassword: "redhatgss" The deployment itself succeeded but the endpoints are abnormal: Only the endpoints for nova were created. MariaDB [keystone]> select interface,url,enabled from endpoint; +-----------+---------------------------------+---------+ | interface | url | enabled | +-----------+---------------------------------+---------+ | internal | http://192.168.124.21:5000/v2.0 | 1 | | public | http://10.11.48.181:5000/v2.0 | 1 | | admin | http://192.0.2.14:35357/v2.0 | 1 | +-----------+---------------------------------+---------+ Is this a known bug or do I need to file a new one ? Best Regards, Chen Sorry not nova endpoints but keystone endpoints... Chen: This might be a new, but related bug. I'm going to try and replicate this myself today. Changing deployed passwords is in the same problem space as rotating passwords, closing as duplicate. *** This bug has been marked as a duplicate of bug 1337297 *** |