Add generate_passwords.py to generate passwords

As with all tools, this is a first pass at the generation. Perhaps we even want to move this into kolla/kolla/cmd and be generated with tox itself in the future. This tool, when run, will only populate empty fields that have no values meaning that it is safe to run repeatedly on the same file. Of note, there is no way to preserve comments in the file after it has been processed by the yaml parser in python. Comments and sections will remain in the passwords.yml template for additional documentation if the user wishes to populate the file themselves. Use SystemRandom and clean up the docs a bit to not use pronouns. Co-Authored-By: Steven Dake <stdake@cisco.com> Closes-Bug: #1559266 Change-Id: I2932d592df8871f1b7811059206d0b4d0553a687
2016-03-16 21:45:25 +00:00 · 2016-03-16 21:45:25 +00:00 · f03e06e09b
parent ff3095f56e
commit f03e06e09b
7 changed files with 101 additions and 41 deletions
--- a/dev/vagrant/bootstrap.sh
+++ b/dev/vagrant/bootstrap.sh
@ -165,6 +165,7 @@ function configure_operator {

    tox -c ${KOLLA_PATH}/tox.ini -e genconfig
    cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla
+    ${KOLLA_PATH}/tools/generate_passwords.py
    mkdir -p /usr/share/kolla
    chown -R vagrant: /etc/kolla /usr/share/kolla

--- a/doc/quickstart.rst
+++ b/doc/quickstart.rst
@ -390,6 +390,15 @@ the Ansible inventory file can be found in the Ansible `inventory introduction
 All variables for the environment can be specified in the files:
 "/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml"

+Generate passwords for /etc/kolla/passwords.yml using the provided
+kolla-genpwd tool.  The tool will populate all empty fields in the
+"/etc/kolla/passwords.yml" file using randomly generated values to secure the
+deployment.  Optionally, the passwords may be populate in the file by hand.
+
+::
+
+    kolla-genpwd
+
 Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these
 parameters: kolla_base_distro, kolla_install_type.

--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -1,66 +1,62 @@
 ---
-# TODO(SamYaple): This file should have generated values by default. Propose
-# Ansible vault for locking down the secrets properly.
-
-
 ###################
 # Ceph options
 ####################
-ceph_cluster_fsid: "5fba2fbc-551d-11e5-a8ce-01ef4c5cf93c"
-rbd_secret_uuid: "bbc5b4d5-6fca-407d-807d-06a4f4a7bccb"
-
+# These options must be UUID4 values in string format
+# XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
+ceph_cluster_fsid:
+rbd_secret_uuid:

 ###################
 # Database options
 ####################
-database_password: "password"
-
+database_password:

 ####################
 # Docker options
 ####################
+# This should only be set if you require a password for your Docker registry
 docker_registry_password:

-
 ####################
 # OpenStack options
 ####################
-keystone_admin_password: "password"
-keystone_database_password: "password"
+keystone_admin_password:
+keystone_database_password:

-glance_database_password: "password"
-glance_keystone_password: "password"
+glance_database_password:
+glance_keystone_password:

-nova_database_password: "password"
-nova_api_database_password: "password"
-nova_keystone_password: "password"
+nova_database_password:
+nova_api_database_password:
+nova_keystone_password:

-neutron_database_password: "password"
-neutron_keystone_password: "password"
-metadata_secret: "password"
+neutron_database_password:
+neutron_keystone_password:
+metadata_secret:

-cinder_database_password: "password"
-cinder_keystone_password: "password"
+cinder_database_password:
+cinder_keystone_password:

-swift_keystone_password: "password"
-swift_hash_path_suffix: "kolla"
-swift_hash_path_prefix: "kolla"
+swift_keystone_password:
+swift_hash_path_suffix:
+swift_hash_path_prefix:

-heat_database_password: "password"
-heat_keystone_password: "password"
-heat_domain_admin_password: "password"
+heat_database_password:
+heat_keystone_password:
+heat_domain_admin_password:

-murano_database_password: "password"
-murano_keystone_password: "password"
+murano_database_password:
+murano_keystone_password:

-ironic_database_password: "password"
-ironic_keystone_password: "password"
+ironic_database_password:
+ironic_keystone_password:

-magnum_database_password: "password"
-magnum_keystone_password: "password"
+magnum_database_password:
+magnum_keystone_password:

-mistral_database_password: "password"
-mistral_keystone_password: "password"
+mistral_database_password:
+mistral_keystone_password:

 horizon_secret_key: "password"

@ -72,12 +68,11 @@ memcache_secret_key: "password"
 ####################
 # RabbitMQ options
 ####################
-rabbitmq_password: "password"
-rabbitmq_cluster_cookie: "password"
-
+rabbitmq_password:
+rabbitmq_cluster_cookie:

 ####################
 # HAProxy options
 ####################
-haproxy_password: "password"
-keepalived_password: "password"
+haproxy_password:
+keepalived_password:
--- a/kolla/cmd/genpwd.py
+++ b/kolla/cmd/genpwd.py
@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import random
+import string
+import uuid
+import yaml
+
+
+def main():
+    # These keys should be random uuids
+    uuid_keys = ['ceph_cluster_fsid', 'rbd_secret_uuid']
+
+    # If these keys are None, leave them as None
+    blank_keys = ['docker_registry_password']
+
+    # length of password
+    length = 40
+
+    with open('/etc/kolla/passwords.yml', 'r') as f:
+        passwords = yaml.load(f.read())
+
+    for k, v in passwords.items():
+        if v is None:
+            if k in blank_keys and v is None:
+                continue
+            if k in uuid_keys:
+                passwords[k] = str(uuid.uuid4())
+            else:
+                passwords[k] = ''.join([
+                    random.SystemRandom().choice(
+                        string.ascii_letters + string.digits)
+                    for n in range(length)
+                ])
+
+    with open('/etc/kolla/passwords.yml', 'w') as f:
+        f.write(yaml.dump(passwords, default_flow_style=False))
+
+if __name__ == '__main__':
+    main()
--- a/setup.cfg
+++ b/setup.cfg
@ -35,6 +35,7 @@ scripts =
 [entry_points]
 console_scripts =
    kolla-build = kolla.cmd.build:main
+    kolla-genpwd = kolla.cmd.genpwd:main
 oslo.config.opts =
    kolla = kolla.opts:list_opts

--- a/tools/generate_passwords.py
+++ b/tools/generate_passwords.py
@ -0,0 +1 @@
+../kolla/cmd/genpwd.py
--- a/tools/setup_gate.sh
+++ b/tools/setup_gate.sh
@ -13,6 +13,8 @@ function setup_config {
    tox -e genconfig
    # Copy configs
    sudo cp -a etc/kolla /etc/
+    # Generate passwords
+    sudo tools/generate_passwords.py

    # Use Infra provided pypi
    echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header