tripleo

SnmpdReadonlyUserPassword isn't set by the Mistral workflow

Bug #1631279 reported by Dougal Matthews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Dougal Matthews
tripleo ocata-1 "ocata-1"

Bug Description

The Mistral workflows generate passwords if they are missing and attempt to get SnmpdReadonlyUserPassword from hiera (by running `hiera snmpd_readonly_user_password`). However, the Mistral user doesn't have access to this.

We need to either provide the user with access or give it to the user a different way.

Revision history for this message
Dougal Matthews (d0ugal) wrote :

Discussion from #tripleo

<d0ugal> dprince: Do you remember discussing getting the snmpd_readonly_user_password from hiera?
<d0ugal> dprince: That doesn't work, the Mistral user can't access it. Any other ideas?
<dprince> d0ugal: can we specifically store/stash it somewhere on deployment (create or update)
<d0ugal> dprince: This is the undercloud password (IIUC), so maybe instack could do that?
<dprince> d0ugal: sure, but it is also supplied to the overcloud via a Heat parameter so we should have access to it either way right?
<d0ugal> dprince: Right, but how do we get it to Heat?
<d0ugal> dprince: it's easy for the CLI to pass it to a workflow, that is what it does now
<d0ugal> dprince: but not so easy for the UI
<d0ugal> dprince: it is stored in hiera and the undercloud conf file in the stack home directory.
<dprince> d0ugal: Can't we write a custom Mistral action that essentially looks it up for us via the same python function (utils.get_config_value)
<dprince> d0ugal: kind of an evil thing to expose via the API so perhaps guard it to just the passwords we need
<d0ugal> dprince: Mistral is running as the wrong user, so it wont have the permissions
<dprince> d0ugal: so, then I think this is a 2 part fix. Update the instack installer to provide access to this for the Mistral user
<d0ugal> dprince: okay, how would you provide access?
<dprince> d0ugal: we can have multiple hiera files.... they don't all have to have extra permissions I think
<dprince> d0ugal: just read perms would be required, perhaps we create a simple unix group that can read this extra file
<dprince> d0ugal: share_passwords.yaml or something
<dprince> d0ugal: shared_passwords?
<d0ugal> dprince: okay, that sounds good, I'll start digging.
<dprince> d0ugal: I don't have a strong oppinion on the name yet
<dprince> d0ugal: thanks for chasing this. The last few params are always the funnest

Dougal Matthews (d0ugal)
Changed in tripleo:
assignee: nobody → Dougal Matthews (d0ugal)
Dougal Matthews (d0ugal)
Changed in tripleo:
milestone: none → newton-rc3
Emilien Macchi (emilienm)
tags: added: newton-backport-potential
Changed in tripleo:
milestone: newton-rc3 → ocata-1
OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to instack-undercloud (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/385294

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on instack-undercloud (stable/newton)

Change abandoned by Dougal Matthews (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/385294

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-common (stable/newton)

Change abandoned by Dougal Matthews (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/385323

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/383694
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=0c5b729609c687f0fcadaafb69b56d9363b8d9b6
Submitter: Jenkins
Branch: master

commit 0c5b729609c687f0fcadaafb69b56d9363b8d9b6
Author: Dougal Matthews <email address hidden>
Date: Tue Oct 11 15:33:27 2016 +0100

    Make the snmpd_readonly_user_password available to Mistral

    The Mistral deployment workflow needs to access this password so it can
    be passed to Heat as the SnmpdReadonlyUserPassword parameter. Otherwise
    the workflow relies on being passed the password, for tripleoclient this
    isn't an issue but TripleO-ui doesn't have access to this.

    The password is stored in a Mistral environment, which can then be accessed
    by Mistral actions.

    Partial-Bug: #1631279
    Change-Id: I71edae4a4dee2204edf32e3b2800f075d221b856

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (stable/newton)

Reviewed: https://review.openstack.org/385294
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=ddb5bb57a5332da37aa987a43f05cc959c1a3df0
Submitter: Jenkins
Branch: stable/newton

commit ddb5bb57a5332da37aa987a43f05cc959c1a3df0
Author: Dougal Matthews <email address hidden>
Date: Tue Oct 11 15:33:27 2016 +0100

    Make the snmpd_readonly_user_password available to Mistral

    The Mistral deployment workflow needs to access this password so it can
    be passed to Heat as the SnmpdReadonlyUserPassword parameter. Otherwise
    the workflow relies on being passed the password, for tripleoclient this
    isn't an issue but TripleO-ui doesn't have access to this.

    The password is stored in a Mistral environment, which can then be accessed
    by Mistral actions.

    Partial-Bug: #1631279
    Change-Id: I71edae4a4dee2204edf32e3b2800f075d221b856
    (cherry picked from commit 0c5b729609c687f0fcadaafb69b56d9363b8d9b6)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to instack-undercloud (master)

Fix proposed to branch: master
Review: https://review.openstack.org/386558

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/383696
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=b3b8f556c077192cb08d05ac0984e800a35a55b2
Submitter: Jenkins
Branch: master

commit b3b8f556c077192cb08d05ac0984e800a35a55b2
Author: Dougal Matthews <email address hidden>
Date: Fri Oct 7 12:11:47 2016 +0100

    Fetch the snmpd_readonly_user_password from the Mistral environment

    The snmpd readonly password is stored in a Mistral environment by
    instack so it can be accessed by Mistral as the Hiera approach wasn't
    working. This updates the password action to use the new password
    source.

    Closes-Bug: #1631279
    Depends-On: I71edae4a4dee2204edf32e3b2800f075d221b856
    Change-Id: I94428d1deb000c65a1c0266d01f660b76d4a3ee5

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
Dougal Matthews (d0ugal) wrote :

A workaround for GUI deployments. The CLI can access the password config and already uses that to pass the parameter, mistral and this the GUI don't have access until this bug is fully resolved.

The password is available in ~/undercloud-passwords.conf under the name the undercloud_ceilometer_snmpd_password. For example:

    undercloud_ceilometer_snmpd_password=ec22668e312ad111274837966e9e8707b04f3969

It is also via hiera:

    $ sudo hiera snmpd_readonly_user_password
    ec22668e312ad111274837966e9e8707b04f3969

This needs to be taken and set as the SnmpdReadonlyUserPassword Heat parameter in the deployment.

Revision history for this message
Julie Pichon (jpichon) wrote :

The setting in the web UI can be found by clicking the pencil on the Controller card and looking in the Services tab for OS::TripleO::Services::Snmp.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/newton)

Reviewed: https://review.openstack.org/385323
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=ae49ca29c7602e9b257b8385e2b9873db30a8acf
Submitter: Jenkins
Branch: stable/newton

commit ae49ca29c7602e9b257b8385e2b9873db30a8acf
Author: Dougal Matthews <email address hidden>
Date: Fri Oct 7 12:11:47 2016 +0100

    Fetch the snmpd_readonly_user_password from the Mistral environment

    The snmpd readonly password is stored in a Mistral environment by
    instack so it can be accessed by Mistral as the Hiera approach wasn't
    working. This updates the password action to use the new password
    source.

    Closes-Bug: #1631279
    Depends-On: I186217fd0e1125519149763e610d3efdff583388
    Change-Id: I94428d1deb000c65a1c0266d01f660b76d4a3ee5
    (cherry picked from commit b3b8f556c077192cb08d05ac0984e800a35a55b2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 5.4.0

This issue was fixed in the openstack/tripleo-common 5.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 5.5.0

This issue was fixed in the openstack/tripleo-common 5.5.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 5.4.0

This issue was fixed in the openstack/tripleo-common 5.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.