1594328 – [Deployment] Use secure ODL password by default

Bug 1594328 - [Deployment] Use secure ODL password by default

Summary: [Deployment] Use secure ODL password by default

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	13.0 (Queens)
Assignee:	Janki
QA Contact:	Noam Manos
Docs Contact:
URL:
Whiteboard:	Deployment
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-22 15:59 UTC by Daniel Farrell
Modified:	2022-07-09 11:34 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-tripleo-common-8.6.1-22, openstack-tripleo-heat-templates-8.0.2-40
Doc Type:	If docs needed, set a value
Doc Text:	To enhance security, the default OpenDaylightPassword “admin” is now replaced by a randomly generated 16-digit number. You can overwrite the randomly generated password by specifying a password in a heat template: $ cat odl_password.yaml parameter_defaults: OpenDaylightPassword: admin And then pass the file to the overcloud deploy command: openstack overcloud deploy <other env files> -e odl_password.yaml
Clone Of:
Environment:	N/A
Last Closed:	2018-07-19 14:27:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1778531	None	None	None	2018-06-25 14:20:48 UTC
OpenStack gerrit	577831	None	MERGED	Let TripleO generate ODLPassword	2020-04-05 23:04:00 UTC
OpenStack gerrit	577834	None	MERGED	Delete default ODL Password	2020-04-05 23:04:00 UTC
OpenStack gerrit	578504	None	MERGED	Let TripleO generate ODLPassword	2020-04-05 23:04:00 UTC
OpenStack gerrit	578505	None	MERGED	Delete default ODL Password	2020-04-05 23:04:00 UTC
Red Hat Issue Tracker	ODL-236	None	None	None	2022-07-09 11:34:54 UTC
Red Hat Issue Tracker	OSP-17208	None	None	None	2022-07-09 11:34:55 UTC
Red Hat Product Errata	RHSA-2018:2214	None	None	None	2018-07-19 14:28:01 UTC

Description Daniel Farrell 2018-06-22 15:59:57 UTC

The default ODL NorthBound REST API username:password is admin:admin. I'm told there is nice TripleO magic that allows us to set this to some secure, random value. Should enable that for ODL.

Comment 14 Janki 2018-07-09 14:21:58 UTC

Hi. to verify this

1. Deploy with the said rpms
2. check ODL password in overcloud plan. Plan can be generated by

openstack object save overcloud plan-environment.yaml

Check that "OpenDaylightPassword" in plan-environment.yaml is not "admin" or some english word but a randomly generated 16 digit (or so) number. 

3. You can also verfiy this from puppet hieradata on controller nodes.
ssh into controller nodes and check for "opendaylight::password" in /etc/puppet/hieradata/service_configs.json.

4. Delete stack
5. Create env file with ODL Password
$ cat odl_password.yaml
parameter_defaults:
  OpenDaylightPassword: admin

6. Pass this file to the deploy command
openstack overcloud deploy <other env files> -e odl_password.yaml

7. Repeat steps 2 and 3 and check that ODL password has value "admin" and not some randomly generated digits.

Comment 16 Noam Manos 2018-07-10 11:22:46 UTC

Verification steps completed on OSP13, puddle 2018-07-03.3 :

1. Deploy with the ODL CI production job:
DFG-opendaylight-odl-netvirt-13_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ha-tempest

2. Delete stack:
# . stackrc
(undercloud) [stack@undercloud-0 ~]$ openstack stack delete overcloud --yes --wait

3. Remove ODL password from config_heat.yaml:
(undercloud) [stack@undercloud-0 ~]$ cp virt/config_heat.yaml virt/config_heat.yaml.bak
(undercloud) [stack@undercloud-0 ~]$ vi virt/config_heat.yaml - delete OpenDaylightUsername: odladmin

4. Re-deploy overcloud (takes ~30 minutes):
(undercloud) [stack@undercloud-0 ~]$ ./overcloud_deploy.sh

  Stack overcloud CREATE_COMPLETE

  Host 10.0.0.101 not found in /home/stack/.ssh/known_hosts
  Started Mistral Workflow tripleo.deployment.v1.get_horizon_url. Execution ID: c16ca26a-f246-4c98-b389-448d59fbb357
  Overcloud Endpoint: http://10.0.0.101:5000/
  Overcloud Horizon Dashboard URL: http://10.0.0.101:80/dashboard
  Overcloud rc file: /home/stack/overcloudrc
  Overcloud Deployed

5. Verify that ODL password was auto-generated during deployment:
(undercloud) [stack@undercloud-0 ~]$ openstack object save overcloud plan-environment.yaml
(undercloud) [stack@undercloud-0 ~]$ grep OpenDaylightPassword plan-environment.yaml

  OpenDaylightPassword: PGnH9bhnqtDGwTuNnC8JsR9dJ

6. Connect to Controller:
(undercloud) [stack@undercloud-0 ~]$ openstack server list | grep controller-0

  | 1f78a2f7-d333-4eea-80fb-729025cac70a | controller-0 | ACTIVE | ctlplane=192.168.24.12 | overcloud-full | controller |

(undercloud) [stack@undercloud-0 ~]$ ssh heat-admin.24.12


7. Check ODL containers status:
[heat-admin@controller-0 ~]$ sudo -s
[heat-admin@controller-0 ~]$ docker ps | grep opendaylight

  3993d1510f54        192.168.24.1:8787/rhosp13/openstack-neutron-server-opendaylight:2018-07-03.3   "kolla_start"            24 minutes ago      Up 24 minutes (healthy)                       neutron_api
  145caf8f011e        192.168.24.1:8787/rhosp13/openstack-opendaylight:2018-07-03.3                  "kolla_start"            50 minutes ago      Up 50 minutes (healthy)                       opendaylight_api

8. Find ODL REST URL:
[root@controller-0 heat-admin]# docker exec neutron_api grep -A3 ml2_odl /etc/neutron/plugin.ini
  [ml2_odl]
  username=odladmin
  password=PGnH9bhnqtDGwTuNnC8JsR9dJ
  url=http://172.17.1.16:8081/controller/nb/v2/neutron

9. Check Neutron API with CURL:
[root@controller-0 heat-admin]# curl -v -H "Content-Type:application/json" -u odladmin:PGnH9bhnqtDGwTuNnC8JsR9dJ http://172.17.1.16:8081/controller/nb/v2/neutron/networks

  {
     "networks" : [ {
        "id" : "bd8db3a8-2b30-4083-a8b3-b3fd46401142",
        "tenant_id" : "bd8db3a82b304083a8b3b3fd46401142",
        "project_id" : "bd8db3a8-2b30-4083-a8b3-b3fd46401142",
        "name" : "Sync Canary Network",
        "admin_state_up" : false,
        "status" : "ACTIVE",
        "shared" : false,
        "router:external" : false,
        "provider:network_type" : "flat",
        "segments" : [ ],
        "vlan_transparent" : false
     } ]
  }

Comment 18 errata-xmlrpc 2018-07-19 14:27:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2214

Note You need to log in before you can comment on or make changes to this bug.