Adding validation and error message for safely rejecting keystone passwords with single and double quotation marks

Brief Description

Ansible bootstrap fails to handle passwords that contains quotation marks such as single or double quotes for keystone's user password.

Keystone requires that user password must be at least seven characters long and contains, at least:

one lower-case character
one upper-case character
one numeric character
one special character
The password regex rule present on /etc/keystone/password_rules.conf file specifies the password acceptance criteria and it will be used at system bootstrap to evaluate keystone password and performed by Ansible.

According to Keystone password requirements, passwords with values similar to L!n69ux'" or M@n0"'el or St@rlinx'2" are accepted. If one of those password containing one occurrence of a single or a double quotes and 'dcmanager subcloud add --bootstrap-address ${subcloud_ip_address} --bootstrap-values bootstrap-values.yaml' command triggers the subcloud bootstrap via ansible, the result of this is a subcloud bootstrap failure.

The first role to fail is the store-passwd, as the double quotes characters are required to be string escaped, the python scripts on the tasks named as "Validate admin password" and "Store admin password" exited with errors when tries to store the password string value. These tasks can be fixed as it is suggested in the system outputs reported by this comment.

When the ansible bootstrap is issued again, the task "Wait for service endpoints reconfiguration to complete" from persist-config role leads to another failure. This task requires that a file is present on a specific directory so it can be marked as passed. This file is expected to be created by puppet after the services endpoints are correctly reconfigured. This has a timeout around of 45 minutes. If the required file is manually created, the task is marked as passed and system bootstrap procedure continues. Then, the bootstrap fails when it reaches "Add loopback interface" from bringup-essential-services role.bringup-essential-services role.

Standalone systems are also vulnerable to this type of problem since it can be reproducible in a system bootstrap scenario. Comments section of CGTS-48790 has outputs that may help to understand this bug scenario.

Severity

Minor

Steps to Reproduce

In a running DC system with active enabled available status, change SystemController keystone password to a value similar to L!n34ux('" following the steps described at https://docs.starlingx.io/dist_cloud/kubernetes/changing-the-admin-password-on-distributed-cloud.html#changing-the-admin-password-on-distributed-cloud . Verify if the SystemController's keystone password was changed successfully per the execution of 'source /etc/platform/openrc ; echo $OS_PASSWORD'. Add and bootstrap a new SX subcloud issuing the 'dcmanager subcloud add --bootstrap-address ${subcloud_ip_address} --bootstrap-values bootstrap-values.yaml' command and observe subcloud bootstrap fails. Observe logs outputs via /var/log/dcmanager/ansible/*.log .

Bootstraps a system with admin_password similar to L!n34ux('" addressed at localhost.yml and observe bootstrap fails.

More information related to this at CGTS-48790.

Expected Behavior

Ansible bootstrap should be completed successfully.

Actual Behavior

Ansible bootstrap fails handling keystone's user password.

Reproducibility

100% reproducible

System Configuration

Distributed Cloud

Load info (eg: 2022-03-10_20-00-07)

SW_VERSION="23.09"
BUILD_DATE="2023-06-27 06:55:34 +0000"
BUILD_DIR="/localdisk/loadbuild/windriver/stx-env"
Last Pass

N/A

Timestamp/Logs

Please check the comments section of CGTS-48790.

Alarms

N/A

Test Activity

Developer Testing

Workaround

Workaround is to use a password that doesn't use quotation marks.