StarlingX

Debian- 'puppet/22.06/hieradata/secure_system.yaml' is not updated after admin password change

Bug #1979995 reported by Reinildes Oliveira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Reinildes Oliveira

Bug Description

Brief Description

After admin password change , check '/opt/platform/puppet/22.06/hieradata/secure_system.yaml' file. It is not updated with the new password

Severity

Standard

Steps to Reproduce

Run automation: testcases/functional/security/test_admin_password_change.py::test_admin_password_change

Manually:

Change the admin password
openstack --os-username 'admin' --os-password 'Li69nux*' --os-project-name admin --os-auth-url http://[abcd:204::1]:5000/v3 --os-user-domain-name Default --os-project-domain-name Default --os-identity-api-version 3 --os-interface internal --os-region-name RegionOne user password set --os-region-name RegionOne --password 'YAWvum2*' --original-password 'Li69nux*

      2. check the password is updated or not

[sysadmin@controller-0 ~(keystone_admin)]$ keyring get CGCS admin
YAWvum2*

     3. verify puppet files are updated with password

[sysadmin@controller-0 ~(keystone_admin)]$ sudo cat /opt/platform/puppet/22.06/hieradata/secure_system.yaml | grep -F 'YAWvum2*' --color=never
[sysadmin@controller-0 ~(keystone_admin)]$

Expected Behavior

On CentOS:

[2022-06-03 23:35:39,201] 348 DEBUG MainThread ssh.send :: Send 'sudo cat /opt/platform/puppet/22.06/hieradata/secure_system.yaml | grep -F 'ZTNcwk9*' --color=never'
[2022-06-03 23:35:39,266] 471 DEBUG MainThread ssh.expect :: Output:
Password:
[2022-06-03 23:35:39,266] 348 DEBUG MainThread ssh.send :: Send 'Li69nux*'
[2022-06-03 23:35:39,365] 471 DEBUG MainThread ssh.expect :: Output:
dcmanager::api::keystone_admin_password: !!python/unicode 'ZTNcwk9*'
dcorch::api_proxy::keystone_admin_password: !!python/unicode 'ZTNcwk9*'
keystone::admin_password: !!python/unicode 'ZTNcwk9*'
keystone::roles::admin::password: !!python/unicode 'ZTNcwk9*'
platform::client::params::admin_password: !!python/unicode 'ZTNcwk9*'

Actual Behavior

in secure_system.yaml , password is the old one

[sysadmin@controller-0 ~(keystone_admin)]$ sudo cat /opt/platform/puppet/22.06/hieradata/secure_system.yaml | grep -F 'Li69nux*' --color=never
dcmanager::api::keystone_admin_password: Li69nux*
dcorch::api_proxy::keystone_admin_password: Li69nux*
keystone::admin_password: Li69nux*
keystone::roles::admin::password: Li69nux*
platform::client::params::admin_password: Li69nux*

Reproducibility

Reproducible

System Configuration

WCP_112

IPv6

Load info (eg: 2022-03-10_20-00-07)

Last Pass

Pass on CentOS

Timestamp/Logs

Alarms

[sysadmin@controller-0 ~(keystone_admin)]$ fm alarm-list
+----------+------------------------------------------------------------------+-------------------+----------+--------------+
| Alarm ID | Reason Text                                                      | Entity ID         | Severity | Time Stamp   |
+----------+------------------------------------------------------------------+-------------------+----------+--------------+
| 400.003  | License key has expired or is invalid; a valid license key is    | host=controller-0 | critical | 2022-06-21T1 |
|          | required for operation                                           |                   |          | 4:33:58.     |
|          |                                                                  |                   |          | 453978       |
|          |                                                                  |                   |          |              |
+----------+------------------------------------------------------------------+-------------------+----------+--------------+

Test Activity

Regression Testing

Workaround

Describe workaround if available

Reinildes Oliveira (rjosemat)
Changed in starlingx:
assignee: nobody → Reinildes Oliveira (rjosemat)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/847805

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/847806

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on config (master)

Change abandoned by "Reinildes Oliveira <email address hidden>" on branch: master
Review: https://review.opendev.org/c/starlingx/config/+/847805
Reason: created a duplicate by mistake: https://review.opendev.org/c/starlingx/config/+/847806

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/847807

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on config (master)

Change abandoned by "Reinildes Oliveira <email address hidden>" on branch: master
Review: https://review.opendev.org/c/starlingx/config/+/847806

Ghada Khalil (gkhalil)
tags: added: stx.debian stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/847807
Committed: https://opendev.org/starlingx/config/commit/b2eab5aaed687574a26c9b320b99bd2955336da0
Submitter: "Zuul (22348)"
Branch: master

commit b2eab5aaed687574a26c9b320b99bd2955336da0
Author: Rei Oliveira <email address hidden>
Date: Mon Jun 27 12:21:29 2022 -0300

    Use session object when creating keystone_client

    The new version of the keystone client we are using in debian does not
    support instantiating a keystone_client without a session object.

    This is making use of an existing self._get_keystone_session function
    to create the session object and using that session object to
    authenticate with the keystone_client. There are also minor
    refactorings to avoid using the keystone client at bootstrap time.

    Test plan on both centos and debian:

    PASS: Run 'openstack user password set' to change the password and
          verified that /opt/platform/puppet/22.06/hieradata/
          secure_system.yaml gets updated with the new password, keyring
          gets updated with new password and /var/log/sm-customer.log
          shows that the vim service gets restarted

    PASS: Verify that no keystone error messages are shown during bootstrap
          in sysinv.log keystone listener are started.

    PASS: When keystone admin user password changes, observe the
          corresponding entity in keyring is updated, and vim is restarted
          (by openstack::keystone::password::runtime)

    Closes-Bug: 1979995

    Signed-off-by: Rei Oliveira <email address hidden>
    Change-Id: Id4d4bf8072a853d4d3e016e9afa2cd984ee85694

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.7.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.