Merge "Add password rotation docs page"

2024-02-29 11:37:52 +00:00 · 2024-02-29 11:37:52 +00:00 · d42cdef420
commit d42cdef420
parent e513ddd982 d6d82e2a88
2 changed files with 296 additions and 0 deletions
--- a/doc/source/admin/index.rst
+++ b/doc/source/admin/index.rst
@ -12,3 +12,4 @@ Admin Guides
   etcd
   production-architecture-guide
   deployment-philosophy
   password-rotation
--- a/doc/source/admin/password-rotation.rst
+++ b/doc/source/admin/password-rotation.rst
@ -0,0 +1,295 @@
 =================
 Password Rotation
 =================
 This guide describes how to change the internal secrets from ``passwords.yml``
 used by Kolla-Ansible. It does not cover every possible ``passwords.yml``
 variable, only the most common ones.
 .. warning::
   Always back up your ``passwords.yml`` file before making any changes.
   Otherwise, it is easy to make unrecoverable mistakes.
 .. warning::
   This guide relies on recent changes to Kolla and Kolla-Ansible. You may
   encounter errors if applying this guide to older deployments. It is
   recommended that you update your containers and kolla-ansible to the latest
   available versions before proceeding.
 Regenerating secrets
 --------------------
 Passwords can be quickly re-generated using ``kolla-genpwd``.
 Assuming an existing ``/etc/kolla/passwords.yml`` file, make a backup:
 .. code-block:: bash
   cp /etc/kolla/passwords.yml ./passwords.yml.bak
 Edit the ``passwords.yml`` file to remove the password strings for any secrets
 that need to be regenerated i.e. change ``foo: "bar"`` to ``foo:``.
 Regenerate the removed passwords:
 .. code-block:: bash
   kolla-genpwd -p /etc/kolla/passwords.yml
 Applying regenerated secrets
 ----------------------------
 The majority of the secrets can be applied by simply reconfiguring services
 with ``kolla-ansible reconfigure``. Below is a list of secrets that can be
 applied this way.
 * ``*_keystone_password``
 * ``*_database_password`` (excluding ``nova_database_password``)
 * ``*_ssh_key`` (excluding ``kolla_ssh_key``)
 * ``keystone_admin_password``
 * ``designate_rndc_key``
 * ``keepalived_password``
 * ``libvirt_sasl_password``
 * ``metadata_secret``
 * ``opensearch_dashboards_password``
 * ``osprofiler_secret``
 * ``prometheus_alertmanager_password``
 * ``qdrouterd_password``
 * ``redis_master_password``
 It is possible to change more secrets however some require manual steps. The
 manual steps vary depending on the secret. They are listed below in the order
 they should be applied if they are to be changed at the same time. Once all
 manual steps are complete, reconfigure services (``kolla-ansible
 reconfigure``).
 For simplicity, this guide assumes Docker is being used. The same commands
 should also work for Podman deployments by replacing instances of ``docker``
 with ``podman`` in all relevant commands.
 Kolla SSH key
 ^^^^^^^^^^^^^
 There is currently no mechanism within Kolla-Ansible to rotate
 ``kolla_ssh_key``. It is however a relatively simple task to perform using a
 standard Ansible playbook, or can be performed by hand on smaller deployments.
 Horizon Secret Key
 ^^^^^^^^^^^^^^^^^^
 The Horizon secret key (``horizon_secret_key``) is unique because it explicitly
 supports rotation. In reality, it is a Django secret key, and is used for
 cryptographic signing e.g. generating password recovery links. To minimise user
 impact, it is possible to set two secret keys at once. The new one will be used
 for generating new artifacts, while the old one will still be accepted for
 existing artifacts.
 Take note of the old password, generate a new one, and take note of it as well.
 Add it to the ``passwords.yml`` file, along with the old secret, in this
 exact format (including quotes in the middle):
 .. code:: bash
   horizon_secret_key: newsecret' 'oldsecret
 It is important to remember to remove the old key and reconfigure services
 again, after all old artifacts have expired e.g. after approximately one to two
 weeks.
 Grafana Admin Password
 ^^^^^^^^^^^^^^^^^^^^^^
 The Grafana admin password (``grafana_admin_password``) must be rotated
 manually.
 #. Generate a new Grafana Admin password.
 #. Replace the old password in ``passwords.yml``.
 #. Exec into any Grafana container:
   .. code:: bash
      docker exec -it grafana bash
 #. Run the password reset command, then enter the new password:
   .. code:: bash
      grafana-cli admin reset-admin-password --password-from-stdin
 Database Password
 ^^^^^^^^^^^^^^^^^
 The database administrator password (``database_password``) must be rotated
 manually.
 #. Generate a new database password.
 #. Replace the old password in ``passwords.yml``, take note of both the old and
   new passwords.
 #. SSH to a host running a MariaDB container.
 #. Exec into the MariaDB container:
   .. code-block:: bash
      docker exec -it mariadb bash
 #. Log in to the database. You will be prompted for the password. Use the
   old value of ``database_password``:
   .. code:: bash
      mysql --batch -uroot -p
 #. Check the current state of the ``root`` user:
   .. code:: bash
      SELECT Host,User,Password FROM mysql.user WHERE User='root';
 #. Update the password for the ``root`` user:
   .. code:: bash
      SET PASSWORD FOR 'root'@'%' = PASSWORD('newpassword');
 #. Check that the password hash has changed in the user list:
   .. code:: bash
      SELECT Host,User,Password FROM mysql.user WHERE User='root';
 #. If there are any remaining root users with the old password e.g.
   ``root@localhost``, change the password for them too.
 Nova Database Password
 ^^^^^^^^^^^^^^^^^^^^^^
 The nova database admin user password (``nova_database_password``) must be
 rotated manually.
 .. warning::
   From this point onward, API service may be disrupted.
 #. Generate a new Nova database password.
 #. Replace the old password in ``passwords.yml``.
 #. Exec into the ``nova_conductor`` container:
   .. code:: bash
      docker exec -it nova_conductor bash
 #. List the cells:
   .. code:: bash
      nova-manage cell_v2 list_cells --verbose
 #. Find the entry for ``cell0``, copy the Database Connection value,
   replace the password in the string with the new value, and update it
   with the following command:
   .. code:: bash
      nova-manage cell_v2 update_cell --cell_uuid 00000000-0000-0000-0000-000000000000 --database_connection "CONNECTION WITH NEW PASSWORD HERE" --transport-url "none:///"
   (If the ``cell_uuid`` for ``cell0`` is not
   ``00000000-0000-0000-0000-000000000000``, change the above command
   accordingly)
 Heat Domain Admin Password
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 The keystone password for the heat domain admin service user
 (``heat_domain_admin_password``) must be rotated manually.
 It can be changed by an administrator just like any other standard OpenStack
 user password. Generate a new password, replace the old password in
 ``passwords.yml``, then apply the change manually:
 .. code-block:: bash
   openstack user set --password <password> heat_domain_admin --domain heat_user_domain
 RabbitMQ Secrets
 ^^^^^^^^^^^^^^^^
 RabbitMQ uses two main secrets. An Erlang cookie for cluster membership
 (``rabbitmq_cluster_cookie``), and a RabbitMQ management user password
 (``rabbitmq_password``). There is currently no documented process for
 seamlessly rotating these secrets. Many OpenStack services use RabbitMQ for
 communication and reconfiguring them with the new credentials can take some
 time, resulting in a relatively long API outage.
 It is recommended that you stop all services, then stop and destroy the
 RabbitMQ containers and volumes. Because the RabbitMQ containers are destroyed,
 ``kolla-ansible deploy`` should be used to restart services rather than
 ``kolla-ansible reconfigure``. Detailed steps are listed below:
 #. Generate a new ``rabbitmq_cluster_cookie`` and ``rabbitmq_password``.
 #. Replace the old values in ``passwords.yml``.
 #. Stop OpenStack services:
   .. code-block:: bash
      kolla-ansible -i inventory stop
 #. On each node running RabbitMQ, destroy its containers and volumes:
   .. code-block:: bash
      docker stop rabbitmq
      docker rm rabbitmq
      docker volume rm rabbitmq
 #. Redeploy services:
   .. code-block:: bash
      kolla-ansible -i inventory deploy
 Post-redeploy changes
 ^^^^^^^^^^^^^^^^^^^^^
 Once services have been redeployed, the existing Memcached data should be
 flushed. The old Memcached password will no longer be used so any data stored
 using it will be inaccessible.
 The instructions below must be run from a host that has access to the network
 the Memcached containers are using. If you are not sure, run them from a host
 that is running Memcached.
 #. Install a telnet client:
   .. code-block:: bash
      apt/dnf install telnet
 #. Check the config for the IP and port used by Memcached (on every host
   running Memcached):
   .. code:: bash
      sudo grep command /etc/kolla/memcached/config.json
   The IP and port will be printed after ``-l`` and ``-p`` respectively
 #. For each container start a Telnet session, clear all data, then
   exit:
   .. code:: bash
      telnet <ip> <port>
      flush_all
      quit
 Known out-of-scope secrets
 --------------------------
 Below is a list of passwords that are known to be outside the scope of this
 guide.
 * ``docker_registry_password`` - kolla-ansible cannot manage docker registries.