StarlingX

keystone config still has admin_token

Bug #1900726 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
After a system is deployed, the keystone config file /etc/keystone/keystone.conf still has admin_token in it. For security consideration it shouldn't be present as it's no longer in use.

Severity
--------
Minor

Steps to Reproduce
------------------
- Deploy a system of any config.
- check /etc/keystone/keystone.conf

Expected Behavior
------------------
the admin_token shouldn't be in /etc/keystone/keystone.conf

Actual Behavior
----------------
- /etc/keystone/keystone.conf still has admin_token in it:
admin_token = 16e8b47d9d482e569af94db72fabTi0*

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
stx master

Last Pass
---------
N/A

Timestamp/Logs
--------------
See steps to reproduce.

Test Activity
-------------
Developer Testing

Workaround
----------
N/A

See original description
Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.5.0 / medium priority - should be fixed as these are security concerns

tags: added: stx.security
tags: added: stx.5.0
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/759055

Changed in starlingx:
status: Triaged → In Progress
Ghada Khalil (gkhalil)
summary: - keystone config still has admin_token and services's passwords have
- predictable pattern
+ keystone config still has admin_token
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/759055
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=12cce45b1da8759251b5f51ab872f0b127d96500
Submitter: Zuul
Branch: master

commit 12cce45b1da8759251b5f51ab872f0b127d96500
Author: Andy Ning <email address hidden>
Date: Thu Sep 24 15:42:59 2020 -0400

    Remove admin_token from keystone config

    Currently the admin_token is still set with a value in keystone.conf
    though it is disabled after bootstrap and no longer in use. This update
    removes it during controllers unlocking as a security enhancement.

    This update also fixes an ceph issue that would be triggered by the
    above change and cause ceph.pp not generating ceph.conf properly
    due to a resource creation disorder.

    Change-Id: I4093bca40fad3724e89d902aae36d26f85aebd60
    Closes-Bug: 1900726
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.