OpenStack Keystone Charm

[RFE] include an action for resetting admin password

Bug #1927280 reported by Peter Matulis
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Wishlist
Pedro Castillo
OpenStack Keystone Charm 22.04

Bug Description

There are valid use cases for changing the cloud admin user's password. Generally speaking, passwords should always be changeable. Can we get an action for this (e.g. change-admin-password)? The manual process is not straightforward but it looks to be entirely programmable.

I don't think the action should prompt the user for a password. It should just generate one automatically and then inform any concerned API clients. The user would then query for the new one in order to update any possible user-facing tools:

$ juju run-action --wait keystone/leader change-admin-password
$ juju run --unit keystone/leader leader-get admin_passwd

Something similar exists in the vault charm (action 'reissue-certificates').

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Triage: an additional action.

Peter, it might be useful to list the manual version list of commands to achieve this.

Changed in charm-keystone:
importance: Undecided → Wishlist
status: New → Triaged
tags: added: onboarding
Revision history for this message
Peter Matulis (petermatulis) wrote :

$ echo $OS_USERNAME
admin

$ echo $OS_PASSWORD
QYQ5JD2gvkKOW6wC

$ openstack volume list
+--------------------------------------+------+-----------+------+-------------+
| ID | Name | Status | Size | Attached to |
 +--------------------------------------+------+-----------+------+-------------+
| c7012b40-56a4-4476-b811-3ee1c5348e82 | 3GB | available | 3 | |
 +--------------------------------------+------+-----------+------+-------------+

$ juju run --unit keystone/leader leader-get admin_passwd
QYQ5JD2gvkKOW6wC

$ pwgen -s 16 1
GsG6QVo4zZKHpBMD

$ openstack user password set --original-password QYQ5JD2gvkKOW6wC --password GsG6QVo4zZKHpBMD

$ openstack volume list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-82e4d69f-fc2a-4cb3-9d88-e7b1076d83f3)

$ juju run -u keystone/leader -- leader-set 'admin_passwd=GsG6QVo4zZKHpBMD'

$ source ~/openstack-bundles/stable/openstack-base/openrc
Using Keystone v3 API

$ echo $OS_USERNAME
admin

$ echo $OS_PASSWORD
GsG6QVo4zZKHpBMD

$ openstack volume list
+--------------------------------------+------+-----------+------+-------------+
| ID | Name | Status | Size | Attached to |
 +--------------------------------------+------+-----------+------+-------------+
| c7012b40-56a4-4476-b811-3ee1c5348e82 | 3GB | available | 3 | |
 +--------------------------------------+------+-----------+------+-------------+

There are some reports that say that the API clients connected to Keystone (e.g. Cinder, Glance, Neutron API, etc) may not always be informed of the new password. I myself have observed some oddities. However, several consecutive tests based on the above steps have all proven successful. It could be that I did something out of order in my preliminary tests.

The workaround to non-updated clients involve adding extra relations (keystone:identity-admin) to the client applications or transferring the new password over relation-ids if such a relation already exists (which don't for openstack-base clouds).

Corey Bryant (corey.bryant)
tags: added: good-first-bug
Corey Bryant (corey.bryant)
tags: removed: onboarding
Nicholas Njihia (nicknjihian)
Changed in charm-keystone:
assignee: nobody → Nicholas Njihia (nicknjihian)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone/+/832665
Committed: https://opendev.org/openstack/charm-keystone/commit/ae178d74711f548fe3fd3dda0568492aafe5b216
Submitter: "Zuul (22348)"
Branch: master

commit ae178d74711f548fe3fd3dda0568492aafe5b216
Author: Pedro Castillo <email address hidden>
Date: Tue Mar 8 15:36:29 2022 +0000

    Add rotate-admin-password action

    This action allows the user to easily rotate the admin user's
    password by replacing it with a randomly generated one.

    Change-Id: I6ce69be15b11b00f804d3143d835ec3ce6515865
    Related-Bug: #1927280
    Func-Test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/720

Peter Matulis (petermatulis)
Changed in charm-keystone:
assignee: Nicholas Njihia (nicknjihian) → Pedro Castillo (peterctl)
status: Triaged → Fix Committed
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
milestone: none → 22.04
Alex Kavanagh (ajkavanagh)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.