Bug 1600967 - [RFE] add mistral task to allow users to easily rotate passwords
Summary: [RFE] add mistral task to allow users to easily rotate passwords
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-common
Version: 16.0 (Train)
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: Upstream M3
: 16.0 (Train on RHEL 8.1)
Assignee: Harry Rybacki
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks: 1777510
TreeView+ depends on / blocked
 
Reported: 2018-07-13 13:43 UTC by Ade Lee
Modified: 2020-02-06 14:39 UTC (History)
15 users (show)

Fixed In Version: openstack-tripleo-common-11.3.2-0.20191119041432.06779c9.el8ost
Doc Type: Technology Preview
Doc Text:
In Red Hat OpenStack Platform 16.0, a Workflow service (mistral) task is in technology preview that allows you to implement password rotation by doing the following: Execute the rotate-password workflow to generate new passwords and store them in the plan environment. Redeploy your overcloud. You can also obtain your passwords after you have changed them. To implement password rotation, follow these steps: NOTE: The workflow task modifies the default passwords. The task does not modify passwords that are specified in a user-provided environment file. 1. Execute the new workflow task to regenerate the passwords: $ source ./stackrc $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud"}' This command generates new passwords for all passwords except for BarbicanSimpleCryptoKek and KeystoneFernet* and KeystoneCredential*. There are special procedures to rotate these passwords. It is also possible to specify specific passwords to be rotated. The following command rotates only the specified passwords. $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud", "password_list": ["BarbicanPassword", "SaharaPassword", "ManilaPassword"]}' 2. Redeploy your overcloud: $ ./overcloud-deploy.sh To retrieve the passwords, including the newly generated ones, follow these steps: 1. Run the following command: $ openstack workflow execution create tripleo.plan_management.v1.get_passwords '{"container": "overcloud"}' You should see output from the command, similar to the following: +--------------------+---------------------------------------------+ | Field | Value | +--------------------+---------------------------------------------+ | ID | edcf9103-e1a8-42f9-85c1-e505c055e0ed | | Workflow ID | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a | | Workflow name | tripleo.plan_management.v1.rotate_passwords | | Workflow namespace | | | Description | | | Task Execution ID | <none> | | Root Execution ID | <none> | | State | RUNNING | | State info | None | | Created at | 2020-01-22 15:47:57 | | Updated at | 2020-01-22 15:47:57 | +--------------------+---------------------------------------------+ In the earlier example output, the value of State is RUNNING. State should eventually read SUCCESS. 2. Re-check the value of State: $ openstack workflow execution show edcf9103-e1a8-42f9-85c1-e505c055e0ed +--------------------+---------------------------------------------+ | Field | Value | +--------------------+---------------------------------------------+ | ID | edcf9103-e1a8-42f9-85c1-e505c055e0ed | | Workflow ID | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a | | Workflow name | tripleo.plan_management.v1.rotate_passwords | | Workflow namespace | | | Description | | | Task Execution ID | <none> | | Root Execution ID | <none> | | State | SUCCESS | | State info | None | | Created at | 2020-01-22 15:47:57 | | Updated at | 2020-01-22 15:48:39 | +--------------------+---------------------------------------------+ 3. When the value of State is SUCCESS, you can retrieve passwords: $ openstack workflow execution output show edcf9103-e1a8-42f9-85c1-e505c055e0ed You should see output similar to the following: { "status": "SUCCESS", "message": { "AdminPassword": "FSn0sS1aAHp8YK2fU5niM3rxu", "AdminToken": "dTP0Wdy7DtblG80M54r4a2yoC", "AodhPassword": "fB5NQdRe37BaBVEWDHVuj4etk", "BarbicanPassword": "rn7yk7KPafKw2PWN71MvXpnBt", "BarbicanSimpleCryptoKek": "lrC3sGlV7-D7-V_PI4vbDfF1Ujm5OjnAVFcnihOpbCg=", "CeilometerMeteringSecret": "DQ69HdlJobhnGWoBC0jM3drPF", "CeilometerPassword": "qI6xOpofuiXZnG95iUe8Oxv5d", "CephAdminKey": "AQDGVPpdAAAAABAAZMP56/VY+zCVcDT81+TOjg==", "CephClientKey": "AQDGVPpdAAAAABAAanYtA0ggpcoCbS1nLeDN7w==", "CephClusterFSID": "141a5ede-21b4-11ea-8132-52540031f76b", "CephDashboardAdminPassword": "AQDGVPpdAAAAABAAKhsx630YKDhQrocS4o4KzA==", "CephGrafanaAdminPassword": "AQDGVPpdAAAAABAAKBojG+CO72B0TdBRR0paEg==", "CephManilaClientKey": "AQDGVPpdAAAAABAAA1TVHrTVCC8xQ4skG4+d5A==" } }
Clone Of:
: 1777510 (view as bug list)
Environment:
Last Closed: 2020-02-06 14:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 574782 0 'None' MERGED Add mistral job to rotate passwords on the overcloud 2020-12-08 11:41:23 UTC
Red Hat Product Errata RHEA-2020:0283 0 None None None 2020-02-06 14:39:39 UTC

Description Ade Lee 2018-07-13 13:43:19 UTC 
Description of problem:

It is useful to be able to correctly generate new passwords in an existing Openstack deployment, so as to implement password rotation.

A mistral task has been added to allow users to do just this.  This code has already merged upstream, and we are adding this BZ to ensure that the new method is properly documented and tested by QE.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2018-07-13 13:47:03 UTC 
Some notes on how to use the new method:

*********************************************************
This is how to do password changes in OSP 14+.

It is still possible to specify specific password values as documented for OSP < 14 by providing an additional parameter file containing the new passwords.

For OSP 14, a new tripleo mistral workflow was added though to allow passwords to be regenerated.  The basic procedure is:

* Execute the rotate-password workflow to generate new passwords and store them in the plan environment.

* Redeploy.

The above steps are described in detail below:

1. Execute the new tripleo workflow to regenerate the passwords

   source ./stackrc
   openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud"}'

   The above command will generate new passwords for all passwords except for 
   BarbicanSimpleCryptoKek and KeystoneFernet* and KeystoneCredential*.  There 
   are special procedures to rotate these passwords.

   It is also possible to specify specific passwords to be rotated.  The 
   following command will rotate only the specified passwords.

   openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud", "password_list": ["BarbicanPassword", "SaharaPassword", "ManilaPassword"]}'

   Note that the above action modifies the default passwords.  If a password is 
   specified in a user provided environment file, this will take precedence.


2. Redeploy

   ./overcloud-deploy.sh

3.  It is possible to retrieve the passwords - including the newly generated ones as follows:

   openstack workflow execution create tripleo.plan_management.v1.get_passwords '{"container": "overcloud"}'
Comment 21 errata-xmlrpc 2020-02-06 14:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0283
Note You need to log in before you can comment on or make changes to this bug.