Merge changes from topic 'set-passwords'

* changes: Use uuid4 instead of uuid1 as a base for passwords Set the heat auth_encryption_key to a random string
2015-05-28 16:29:26 +02:00 · 2015-05-28 16:29:26 +02:00 · 1edad24dc1
parent 4f7e4fddab cf8efabe0c
commit 1edad24dc1
5 changed files with 19 additions and 5 deletions
--- a/elements/puppet-stack-config/install.d/02-puppet-stack-config
+++ b/elements/puppet-stack-config/install.d/02-puppet-stack-config
@ -39,6 +39,7 @@ context = {
    'UNDERCLOUD_SWIFT_HASH_SUFFIX': os.environ.get('UNDERCLOUD_SWIFT_HASH_SUFFIX', 'unset'),
    'UNDERCLOUD_SWIFT_PASSWORD': os.environ.get('UNDERCLOUD_SWIFT_PASSWORD', 'unset'),
    'UNDERCLOUD_GLANCE_PASSWORD': os.environ.get('UNDERCLOUD_GLANCE_PASSWORD', 'unset'),
+    'UNDERCLOUD_HEAT_ENCRYPTION_KEY': os.environ.get('UNDERCLOUD_HEAT_ENCRYPTION_KEY', 'unset___________'),
    'UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD', 'unset'),
    'UNDERCLOUD_HEAT_PASSWORD': os.environ.get('UNDERCLOUD_HEAT_PASSWORD', 'unset'),
    'UNDERCLOUD_HORIZON_SECRET_KEY': os.environ.get('UNDERCLOUD_HORIZON_SECRET_KEY', 'unset'),
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -72,7 +72,7 @@ heat::engine::heat_watch_server_url: http://{{LOCAL_IP}}:8003
 heat::engine::heat_metadata_server_url: http://{{LOCAL_IP}}:8000
 heat::engine::heat_waitcondition_server_url: http://{{LOCAL_IP}}:8000/v1/waitcondition
 heat::engine::trusts_delegated_roles: []
-heat::engine::auth_encryption_key: unset___________
+heat::engine::auth_encryption_key: {{UNDERCLOUD_HEAT_ENCRYPTION_KEY}}
 heat::instance_user: heat-admin
 heat::rabbit_userid: {{UNDERCLOUD_RABBIT_USERNAME}}
 heat::rabbit_password: {{UNDERCLOUD_RABBIT_PASSWORD}}
--- a/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
+++ b/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
@ -6,6 +6,7 @@ UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(hiera snmpd_readonly_user_password)
 UNDERCLOUD_CEILOMETER_SNMPD_USER=$(hiera snmpd_readonly_user_name)
 UNDERCLOUD_DB_PASSWORD=$(hiera admin_password)
 UNDERCLOUD_GLANCE_PASSWORD=$(hiera glance::api::keystone_password)
+UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(hiera heat::engine::auth_encryption_key)
 UNDERCLOUD_HEAT_PASSWORD=$(hiera heat::keystone_password)
 UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(hiera heat_stack_domain_admin_password)
 UNDERCLOUD_HORIZON_SECRET_KEY=$(hiera horizon_secret_key)
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@ -164,6 +164,10 @@ _auth_opts = [
               help=('Glance service password. '
                     'If left unset, one will be automatically generated.')
               ),
+    cfg.StrOpt('undercloud_heat_encryption_key',
+               help=('Heat db encryption key(must be 8,16 or 32 characters. '
+                     'If left unset, one will be automatically generated.')
+               ),
    cfg.StrOpt('undercloud_heat_password',
               help=('Heat service password. '
                     'If left unset, one will be automatically generated.')
@ -317,14 +321,14 @@ def _check_hostname():
            raise RuntimeError('Static hostname not set in /etc/hosts')


-def _generate_password():
+def _generate_password(length=40):
    """Create a random password

    Copied from rdomanager-oscplugin.  This should eventually live in
    tripleo-common.
    """
-    uuid_str = six.text_type(uuid.uuid1()).encode("UTF-8")
-    return hashlib.sha1(uuid_str).hexdigest()
+    uuid_str = six.text_type(uuid.uuid4()).encode("UTF-8")
+    return hashlib.sha1(uuid_str).hexdigest()[:length]


 def _generate_environment(instack_root):
@ -421,7 +425,11 @@ def _generate_environment(instack_root):
            else:
                value = CONF.auth[opt.name]
            if not value:
-                value = _generate_password()
+                # Heat requires this encryption key to be a specific length
+                if env_name == 'UNDERCLOUD_HEAT_ENCRYPTION_KEY':
+                    value = _generate_password(32)
+                else:
+                    value = _generate_password()
                LOG.info('Generated new password for %s', opt.name)
            instack_env[env_name] = value
            password_file.write('%s=%s\n' % (opt.name, value))
--- a/undercloud.conf.sample
+++ b/undercloud.conf.sample
@ -86,6 +86,10 @@
 # generated. (string value)
 #undercloud_glance_password = <None>

+# Heat db encryption key(must be 8,16 or 32 characters. If left unset,
+# one will be automatically generated. (string value)
+#undercloud_heat_encryption_key = <None>
+
 # Heat service password. If left unset, one will be automatically
 # generated. (string value)
 #undercloud_heat_password = <None>