Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1600967

Summary: [RFE] add mistral task to allow users to easily rotate passwords
Product: Red Hat OpenStack Reporter: Ade Lee <alee>
Component: openstack-tripleo-commonAssignee: Harry Rybacki <hrybacki>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: urgent    
Version: 16.0 (Train)CC: acanan, alee, aschultz, brad, ccopello, dcadzow, gregraka, hrybacki, jamsmith, kbasil, mburns, nlevinki, rmascena, sclewis, slinaber
Target Milestone: Upstream M3Keywords: FutureFeature, TechPreview, Triaged
Target Release: 16.0 (Train on RHEL 8.1)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-common-11.3.2-0.20191119041432.06779c9.el8ost Doc Type: Technology Preview
Doc Text:
In Red Hat OpenStack Platform 16.0, a Workflow service (mistral) task is in technology preview that allows you to implement password rotation by doing the following: Execute the rotate-password workflow to generate new passwords and store them in the plan environment. Redeploy your overcloud. You can also obtain your passwords after you have changed them. To implement password rotation, follow these steps: NOTE: The workflow task modifies the default passwords. The task does not modify passwords that are specified in a user-provided environment file. 1. Execute the new workflow task to regenerate the passwords: $ source ./stackrc $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud"}' This command generates new passwords for all passwords except for BarbicanSimpleCryptoKek and KeystoneFernet* and KeystoneCredential*. There are special procedures to rotate these passwords. It is also possible to specify specific passwords to be rotated. The following command rotates only the specified passwords. $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud", "password_list": ["BarbicanPassword", "SaharaPassword", "ManilaPassword"]}' 2. Redeploy your overcloud: $ ./overcloud-deploy.sh To retrieve the passwords, including the newly generated ones, follow these steps: 1. Run the following command: $ openstack workflow execution create tripleo.plan_management.v1.get_passwords '{"container": "overcloud"}' You should see output from the command, similar to the following: +--------------------+---------------------------------------------+ | Field | Value | +--------------------+---------------------------------------------+ | ID | edcf9103-e1a8-42f9-85c1-e505c055e0ed | | Workflow ID | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a | | Workflow name | tripleo.plan_management.v1.rotate_passwords | | Workflow namespace | | | Description | | | Task Execution ID | <none> | | Root Execution ID | <none> | | State | RUNNING | | State info | None | | Created at | 2020-01-22 15:47:57 | | Updated at | 2020-01-22 15:47:57 | +--------------------+---------------------------------------------+ In the earlier example output, the value of State is RUNNING. State should eventually read SUCCESS. 2. Re-check the value of State: $ openstack workflow execution show edcf9103-e1a8-42f9-85c1-e505c055e0ed +--------------------+---------------------------------------------+ | Field | Value | +--------------------+---------------------------------------------+ | ID | edcf9103-e1a8-42f9-85c1-e505c055e0ed | | Workflow ID | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a | | Workflow name | tripleo.plan_management.v1.rotate_passwords | | Workflow namespace | | | Description | | | Task Execution ID | <none> | | Root Execution ID | <none> | | State | SUCCESS | | State info | None | | Created at | 2020-01-22 15:47:57 | | Updated at | 2020-01-22 15:48:39 | +--------------------+---------------------------------------------+ 3. When the value of State is SUCCESS, you can retrieve passwords: $ openstack workflow execution output show edcf9103-e1a8-42f9-85c1-e505c055e0ed You should see output similar to the following: { "status": "SUCCESS", "message": { "AdminPassword": "FSn0sS1aAHp8YK2fU5niM3rxu", "AdminToken": "dTP0Wdy7DtblG80M54r4a2yoC", "AodhPassword": "fB5NQdRe37BaBVEWDHVuj4etk", "BarbicanPassword": "rn7yk7KPafKw2PWN71MvXpnBt", "BarbicanSimpleCryptoKek": "lrC3sGlV7-D7-V_PI4vbDfF1Ujm5OjnAVFcnihOpbCg=", "CeilometerMeteringSecret": "DQ69HdlJobhnGWoBC0jM3drPF", "CeilometerPassword": "qI6xOpofuiXZnG95iUe8Oxv5d", "CephAdminKey": "AQDGVPpdAAAAABAAZMP56/VY+zCVcDT81+TOjg==", "CephClientKey": "AQDGVPpdAAAAABAAanYtA0ggpcoCbS1nLeDN7w==", "CephClusterFSID": "141a5ede-21b4-11ea-8132-52540031f76b", "CephDashboardAdminPassword": "AQDGVPpdAAAAABAAKhsx630YKDhQrocS4o4KzA==", "CephGrafanaAdminPassword": "AQDGVPpdAAAAABAAKBojG+CO72B0TdBRR0paEg==", "CephManilaClientKey": "AQDGVPpdAAAAABAAA1TVHrTVCC8xQ4skG4+d5A==" } }
 Story Points: ---
Clone Of:
: 1777510 (view as bug list) Environment:
Last Closed: 2020-02-06 14:37:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1777510    

Description Ade Lee 2018-07-13 13:43:19 UTC 
Description of problem:

It is useful to be able to correctly generate new passwords in an existing Openstack deployment, so as to implement password rotation.

A mistral task has been added to allow users to do just this.  This code has already merged upstream, and we are adding this BZ to ensure that the new method is properly documented and tested by QE.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2018-07-13 13:47:03 UTC 
Some notes on how to use the new method:

*********************************************************
This is how to do password changes in OSP 14+.

It is still possible to specify specific password values as documented for OSP < 14 by providing an additional parameter file containing the new passwords.

For OSP 14, a new tripleo mistral workflow was added though to allow passwords to be regenerated.  The basic procedure is:

* Execute the rotate-password workflow to generate new passwords and store them in the plan environment.

* Redeploy.

The above steps are described in detail below:

1. Execute the new tripleo workflow to regenerate the passwords

   source ./stackrc
   openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud"}'

   The above command will generate new passwords for all passwords except for 
   BarbicanSimpleCryptoKek and KeystoneFernet* and KeystoneCredential*.  There 
   are special procedures to rotate these passwords.

   It is also possible to specify specific passwords to be rotated.  The 
   following command will rotate only the specified passwords.

   openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud", "password_list": ["BarbicanPassword", "SaharaPassword", "ManilaPassword"]}'

   Note that the above action modifies the default passwords.  If a password is 
   specified in a user provided environment file, this will take precedence.


2. Redeploy

   ./overcloud-deploy.sh

3.  It is possible to retrieve the passwords - including the newly generated ones as follows:

   openstack workflow execution create tripleo.plan_management.v1.get_passwords '{"container": "overcloud"}'
Comment 21 errata-xmlrpc 2020-02-06 14:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0283