From f03e06e09bc486a1a26d5642cce278d7dbb7bd92 Mon Sep 17 00:00:00 2001 From: SamYaple Date: Wed, 16 Mar 2016 21:45:25 +0000 Subject: [PATCH] Add generate_passwords.py to generate passwords As with all tools, this is a first pass at the generation. Perhaps we even want to move this into kolla/kolla/cmd and be generated with tox itself in the future. This tool, when run, will only populate empty fields that have no values meaning that it is safe to run repeatedly on the same file. Of note, there is no way to preserve comments in the file after it has been processed by the yaml parser in python. Comments and sections will remain in the passwords.yml template for additional documentation if the user wishes to populate the file themselves. Use SystemRandom and clean up the docs a bit to not use pronouns. Co-Authored-By: Steven Dake Closes-Bug: #1559266 Change-Id: I2932d592df8871f1b7811059206d0b4d0553a687 --- dev/vagrant/bootstrap.sh | 1 + doc/quickstart.rst | 9 +++++ etc/kolla/passwords.yml | 77 +++++++++++++++++-------------------- kolla/cmd/genpwd.py | 51 ++++++++++++++++++++++++ setup.cfg | 1 + tools/generate_passwords.py | 1 + tools/setup_gate.sh | 2 + 7 files changed, 101 insertions(+), 41 deletions(-) create mode 100755 kolla/cmd/genpwd.py create mode 120000 tools/generate_passwords.py diff --git a/dev/vagrant/bootstrap.sh b/dev/vagrant/bootstrap.sh index 67b70775c1..e365b851e0 100644 --- a/dev/vagrant/bootstrap.sh +++ b/dev/vagrant/bootstrap.sh @@ -165,6 +165,7 @@ function configure_operator { tox -c ${KOLLA_PATH}/tox.ini -e genconfig cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla + ${KOLLA_PATH}/tools/generate_passwords.py mkdir -p /usr/share/kolla chown -R vagrant: /etc/kolla /usr/share/kolla diff --git a/doc/quickstart.rst b/doc/quickstart.rst index ef0ae708cb..82b9792b65 100644 --- a/doc/quickstart.rst +++ b/doc/quickstart.rst @@ -390,6 +390,15 @@ the Ansible inventory file can be found in the Ansible `inventory introduction All variables for the environment can be specified in the files: "/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml" +Generate passwords for /etc/kolla/passwords.yml using the provided +kolla-genpwd tool. The tool will populate all empty fields in the +"/etc/kolla/passwords.yml" file using randomly generated values to secure the +deployment. Optionally, the passwords may be populate in the file by hand. + +:: + + kolla-genpwd + Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these parameters: kolla_base_distro, kolla_install_type. diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index a98911c3b5..5f250ac8c2 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -1,66 +1,62 @@ --- -# TODO(SamYaple): This file should have generated values by default. Propose -# Ansible vault for locking down the secrets properly. - - ################### # Ceph options #################### -ceph_cluster_fsid: "5fba2fbc-551d-11e5-a8ce-01ef4c5cf93c" -rbd_secret_uuid: "bbc5b4d5-6fca-407d-807d-06a4f4a7bccb" - +# These options must be UUID4 values in string format +# XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX +ceph_cluster_fsid: +rbd_secret_uuid: ################### # Database options #################### -database_password: "password" - +database_password: #################### # Docker options #################### +# This should only be set if you require a password for your Docker registry docker_registry_password: - #################### # OpenStack options #################### -keystone_admin_password: "password" -keystone_database_password: "password" +keystone_admin_password: +keystone_database_password: -glance_database_password: "password" -glance_keystone_password: "password" +glance_database_password: +glance_keystone_password: -nova_database_password: "password" -nova_api_database_password: "password" -nova_keystone_password: "password" +nova_database_password: +nova_api_database_password: +nova_keystone_password: -neutron_database_password: "password" -neutron_keystone_password: "password" -metadata_secret: "password" +neutron_database_password: +neutron_keystone_password: +metadata_secret: -cinder_database_password: "password" -cinder_keystone_password: "password" +cinder_database_password: +cinder_keystone_password: -swift_keystone_password: "password" -swift_hash_path_suffix: "kolla" -swift_hash_path_prefix: "kolla" +swift_keystone_password: +swift_hash_path_suffix: +swift_hash_path_prefix: -heat_database_password: "password" -heat_keystone_password: "password" -heat_domain_admin_password: "password" +heat_database_password: +heat_keystone_password: +heat_domain_admin_password: -murano_database_password: "password" -murano_keystone_password: "password" +murano_database_password: +murano_keystone_password: -ironic_database_password: "password" -ironic_keystone_password: "password" +ironic_database_password: +ironic_keystone_password: -magnum_database_password: "password" -magnum_keystone_password: "password" +magnum_database_password: +magnum_keystone_password: -mistral_database_password: "password" -mistral_keystone_password: "password" +mistral_database_password: +mistral_keystone_password: horizon_secret_key: "password" @@ -72,12 +68,11 @@ memcache_secret_key: "password" #################### # RabbitMQ options #################### -rabbitmq_password: "password" -rabbitmq_cluster_cookie: "password" - +rabbitmq_password: +rabbitmq_cluster_cookie: #################### # HAProxy options #################### -haproxy_password: "password" -keepalived_password: "password" +haproxy_password: +keepalived_password: diff --git a/kolla/cmd/genpwd.py b/kolla/cmd/genpwd.py new file mode 100755 index 0000000000..728dd458b9 --- /dev/null +++ b/kolla/cmd/genpwd.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import random +import string +import uuid +import yaml + + +def main(): + # These keys should be random uuids + uuid_keys = ['ceph_cluster_fsid', 'rbd_secret_uuid'] + + # If these keys are None, leave them as None + blank_keys = ['docker_registry_password'] + + # length of password + length = 40 + + with open('/etc/kolla/passwords.yml', 'r') as f: + passwords = yaml.load(f.read()) + + for k, v in passwords.items(): + if v is None: + if k in blank_keys and v is None: + continue + if k in uuid_keys: + passwords[k] = str(uuid.uuid4()) + else: + passwords[k] = ''.join([ + random.SystemRandom().choice( + string.ascii_letters + string.digits) + for n in range(length) + ]) + + with open('/etc/kolla/passwords.yml', 'w') as f: + f.write(yaml.dump(passwords, default_flow_style=False)) + +if __name__ == '__main__': + main() diff --git a/setup.cfg b/setup.cfg index cf11709c04..b27943b069 100644 --- a/setup.cfg +++ b/setup.cfg @@ -35,6 +35,7 @@ scripts = [entry_points] console_scripts = kolla-build = kolla.cmd.build:main + kolla-genpwd = kolla.cmd.genpwd:main oslo.config.opts = kolla = kolla.opts:list_opts diff --git a/tools/generate_passwords.py b/tools/generate_passwords.py new file mode 120000 index 0000000000..e157963a38 --- /dev/null +++ b/tools/generate_passwords.py @@ -0,0 +1 @@ +../kolla/cmd/genpwd.py \ No newline at end of file diff --git a/tools/setup_gate.sh b/tools/setup_gate.sh index aa74a9e629..2dc8136877 100755 --- a/tools/setup_gate.sh +++ b/tools/setup_gate.sh @@ -13,6 +13,8 @@ function setup_config { tox -e genconfig # Copy configs sudo cp -a etc/kolla /etc/ + # Generate passwords + sudo tools/generate_passwords.py # Use Infra provided pypi echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header