Comment 9 for bug 1714157

Okay, so my plan is to implement this as a 32 char pwgen, put it in leader settings and have non-leaders wait for the password to appear, along with all the checking that leadership hasn't changed, etc. Essentially, this is already done with the 'heat-domain-admin-password' setting.

I've also noticed what might be a race in the leader_elected() call:

@hooks.hook('leader-elected')
def leader_elected():
    if is_leader() and not leader_get('heat-domain-admin-passwd'):
        leader_set({'heat-domain-admin-passwd': pwgen(32)})

There is a small possibility, I believe, that leader_set(..) could fail if another leader is elected between the call to is_leader() and leader_set(). It is small, but could lead to an error out on the hook. The retry would probably take care of the issue, although it would look ugly in the logs.