OpenStack Keystone Charm

admin-password from include-file has line-feed

Bug #1895004 reported by Vern Hart
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Low
Billy Olsen
OpenStack Keystone Charm 21.10

Bug Description

With an eye towards keeping secrets out of my bundle, I used and include-file to for the admin-password, such as:

  applications:
    keystone:
      charm: cs:keystone
      num_units: 3
      options:
        admin-password: include-file://../secrets/keystone-admin-pw.txt

The include file was created with:

  echo "mypassword" > secrets/keystone-admin-pw.txt

After deployment, I was getting "The request you have made requires authentication. (HTTP 401)" when my OS_PASSWORD=mypassword

However, if I embed a newline in my password, it works:

  export OS_PASSWORD="mypassword
  "

As a work-around, I can create the include file without a line-feed:

  echo -n "mypassword" > secrets/keystone-admin-pw.txt

A better solution would be for the charm to strip whitespace and newlines from the end of the config value.

Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

Generally, it is recommended to not set the admin-password for the keystone charm at all, and let the charm generate one. If that password is needed for post-deployment activity by a Juju operator, it can be recovered with:

juju run --unit keystone/leader 'leader-get admin_passwd'

Revision history for this message
Vern Hart (vern) wrote :

Understood. And generally I agree.

In this scenario, the customer has requested a predictable password, primarily to simplify testing across multiple deployments.

It makes sense to me that the charm would trim given input so that we don't inadvertently get a new-line at the end of the password if we happen to use an include-file to supply the pw.

Billy Olsen (billy-olsen)
Changed in charm-keystone:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Billy Olsen (billy-olsen)
milestone: none → 21.04
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
milestone: 21.04 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone/+/784629
Committed: https://opendev.org/openstack/charm-keystone/commit/7f0317313f9f299eaec48e865d1a30bf8b99173f
Submitter: "Zuul (22348)"
Branch: master

commit 7f0317313f9f299eaec48e865d1a30bf8b99173f
Author: Billy Olsen <email address hidden>
Date: Sat Apr 3 09:54:06 2021 -0700

    Strip whitespace from admin passwords

    While admin passwords are discouraged, they are used by some users
    and using a file to import into the config option may include new
    line characters. Strip the white space from the admin password to
    prevent confusion for users.

    Change-Id: I986b10e960153daed9d0d0cbf81d9c9e918a2150
    Closes-Bug: #1895004

Changed in charm-keystone:
status: In Progress → Fix Committed
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
milestone: none → 21.10
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.