2080920 – Expose password for overcloud rc file

Bug 2080920 - Expose password for overcloud rc file

Summary: Expose password for overcloud rc file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Alpha
Target Release:	17.0
Assignee:	James Slagle
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-02 11:21 UTC by Attila Fazekas
Modified:	2022-09-21 12:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-0.20220506221655.7b9b4ef.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-21 12:20:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	839751	None	master: MERGED	tripleo-heat-templates: Add AdminPassword and KeystoneRegion stack outputs (Idaef781163c6c8f5928d93d9bbc1aa7b0dee6fd6)	2022-05-04 14:36:56 UTC
OpenStack gerrit	840291	None	NEW	Add AdminPassword and KeystoneRegion stack outputs	2022-05-04 14:46:17 UTC
Red Hat Issue Tracker	OSP-14973	None	None	None	2022-05-02 11:39:09 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:21:05 UTC

Description Attila Fazekas 2022-05-02 11:21:21 UTC

Description of problem:

The most frequently used/documented way handling openstack credentials is <credentials>rc files
like overcloudrc, openrc, keystonrc ..
Some usage does not even involve openstacksdk, but expecting OS_PASSWORD be there.


        (overcloud) [stack@undercloud-0 ~]$ /usr/bin/discover-tempest-config --create
        2022-05-02 10:48:42.808 779251 INFO tempest [-] Using tempest config file /etc/tempest/tempest.conf
        2022-05-02 10:48:42.843 779251 CRITICAL tempest [-] Unhandled error: KeyError: 'password'
        2022-05-02 10:48:42.843 779251 ERROR tempest Traceback (most recent call last):
        2022-05-02 10:48:42.843 779251 ERROR tempest   File "/usr/bin/discover-tempest-config", line 10, in <module>
        2022-05-02 10:48:42.843 779251 ERROR tempest     sys.exit(main())
        2022-05-02 10:48:42.843 779251 ERROR tempest   File "/usr/lib/python3.6/site-packages/config_tempest/main.py", line 607, in main
        2022-05-02 10:48:42.843 779251 ERROR tempest     retry_image=args.retry_image
        2022-05-02 10:48:42.843 779251 ERROR tempest   File "/usr/lib/python3.6/site-packages/config_tempest/main.py", line 517, in config_tempest
        2022-05-02 10:48:42.843 779251 ERROR tempest     kwargs.get('cloud_creds'))
        2022-05-02 10:48:42.843 779251 ERROR tempest   File "/usr/lib/python3.6/site-packages/config_tempest/main.py", line 185, in set_options
        2022-05-02 10:48:42.843 779251 ERROR tempest     set_cloud_config_values(non_admin, cloud_creds, conf)
        2022-05-02 10:48:42.843 779251 ERROR tempest   File "/usr/lib/python3.6/site-packages/config_tempest/main.py", line 458, in set_cloud_config_values
        2022-05-02 10:48:42.843 779251 ERROR tempest     conf.set('auth', 'admin_password', cloud_creds['password'])
        2022-05-02 10:48:42.843 779251 ERROR tempest KeyError: 'password'
        2022-05-02 10:48:42.843 779251 ERROR tempest
        (overcloud) [stack@undercloud-0 ~]$
        (overcloud) [stack@undercloud-0 ~]$
        (overcloud) [stack@undercloud-0 ~]$ openstack network list
        /usr/lib64/python3.6/site-packages/_yaml/__init__.py:23: DeprecationWarning: The _yaml extension module is now located at yaml._yaml and its location is subject to change.  To use the LibYAML-based parser and emitter, import from `yaml`: `from yaml import CLoader as Loader, CDumper as Dumper`.
          DeprecationWarning
        Password:
        No password entered, or found via --os-password or OS_PASSWORD
        (overcloud) [stack@undercloud-0 ~]$ cat ~/overcloudrc
        # Clear any old environment that may conflict.
        for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
        export OS_USERNAME=admin
        export OS_PROJECT_NAME=admin
        export OS_USER_DOMAIN_NAME=Default
        export OS_PROJECT_DOMAIN_NAME=Default
        export OS_NO_CACHE=True
        export OS_CLOUDNAME=overcloud
        export no_proxy=10.0.0.124
        export PYTHONWARNINGS='ignore:Certificate has no, ignore:A true SSLContext object is not available'
        export OS_AUTH_TYPE=password
        export OS_PASSWORD=''
        export OS_AUTH_URL=http://10.0.0.124:5000
        export OS_IDENTITY_API_VERSION=3
        export OS_COMPUTE_API_VERSION=2.latest
        export OS_IMAGE_API_VERSION=2
        export OS_VOLUME_API_VERSION=3
        export OS_REGION_NAME=regionOne
         
        # Add OS_CLOUDNAME to PS1
        if [ -z "${CLOUDPROMPT_ENABLED:-}" ]; then
            export PS1=${PS1:-""}
            export PS1=\${OS_CLOUDNAME:+"(\$OS_CLOUDNAME)"}\ $PS1
            export CLOUDPROMPT_ENABLED=1
        fi
         
$ nova service-list
ERROR (Unauthorized): The request you have made requires authentication. (HTTP 401) (Request-ID: req-767ba800-7878-4b59-91cb-a17027ed8359)


puppet-tripleo-14.2.3-0.20220429022554.f1d263b.el8osttrunk.noarch
python3-tripleoclient-16.4.1-0.20220428005553.095182c.el8osttrunk.noarch
ansible-role-tripleo-modify-image-1.3.1-0.20220215231337.30d23d5.el8osttrunk.noarch
ansible-tripleo-ipsec-11.0.1-0.20210910002917.b5559c8.el8osttrunk.noarch
tripleo-ansible-3.3.1-0.20220427230448.1fbbf40.el8osttrunk.noarch
openstack-tripleo-common-containers-15.4.1-0.20220428004526.f6181ad.el8osttrunk.noarch
openstack-tripleo-validations-14.2.2-0.20220422042447.62e6da1.el8osttrunk.noarch
openstack-tripleo-common-15.4.1-0.20220428004526.f6181ad.el8osttrunk.noarch
openstack-tripleo-heat-templates-14.3.1-0.20220428004525.935261d.el8osttrunk.noarch
python3-tripleo-common-15.4.1-0.20220428004526.f6181ad.el8osttrunk.noarch
ansible-tripleo-ipa-0.2.3-0.20220301182436.6b0ed82.el8osttrunk.noarch

OS_PASSWORD should reference to a valid password instead of '' .


Introduced: https://review.opendev.org/c/openstack/python-tripleoclient/+/838910

Comment 3 David Rosenfeld 2022-06-17 15:26:30 UTC

After sourcing overcloudrc /usr/bin/discover-tempest-config --create, openstack network list, and nova service-list all executed successfully e.g.:

 openstack network list
/usr/lib/python3.9/site-packages/ansible/_vendor/__init__.py:42: UserWarning: One or more Python packages bundled by this ansible-core distribution were already loaded (pyparsing). This may result in undefined behavior.
  warnings.warn('One or more Python packages bundled by this ansible-core distribution were already '
+--------------------------------------+--------------------------+----------------------------------------------------------------------------+
| ID                                   | Name                     | Subnets                                                                    |
+--------------------------------------+--------------------------+----------------------------------------------------------------------------+
| 1dd21e88-e656-4e84-9e17-9bef59eaa396 | heat_tempestconf_network | 8b3d134e-55d2-4fe8-9cbe-0b3f29eb1695                                       |
| 7d3bc719-d350-4c95-9c28-469b3f12e569 | public                   | 2109041f-35b7-4454-b282-b6a2da2285da, 31e21fb6-de3d-4995-8e90-7859b0c4c7de |
+--------------------------------------+--------------------------+----------------------------------------------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ 
(overcloud) [stack@undercloud-0 ~]$ nova service-list
+--------------------------------------+----------------+---------------------------+----------+---------+-------+----------------------------+-----------------+-------------+
| Id                                   | Binary         | Host                      | Zone     | Status  | State | Updated_at                 | Disabled Reason | Forced down |
+--------------------------------------+----------------+---------------------------+----------+---------+-------+----------------------------+-----------------+-------------+
| e440d08f-7d09-4e44-b7ad-26bb8c910453 | nova-conductor | controller-0.redhat.local | internal | enabled | up    | 2022-06-17T15:22:55.000000 | -               | False       |
| 89f65c81-e629-4402-86a4-e5600e8da9ef | nova-scheduler | controller-0.redhat.local | internal | enabled | up    | 2022-06-17T15:22:57.000000 | -               | False       |
| 0a0ddac2-8a83-4094-99ae-4168d8b756a4 | nova-compute   | compute-0.redhat.local    | nova     | enabled | up    | 2022-06-17T15:22:54.000000 | -               | False       |
+--------------------------------------+----------------+---------------------------+----------+---------+-------+----------------------------+-----------------+-------------+

Comment 8 errata-xmlrpc 2022-09-21 12:20:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.