Add generate_passwords.py to generate passwords

As with all tools, this is a first pass at the generation. Perhaps we
even want to move this into kolla/kolla/cmd and be generated with tox
itself in the future.

This tool, when run, will only populate empty fields that have no
values meaning that it is safe to run repeatedly on the same file.

Of note, there is no way to preserve comments in the file after it has
been processed by the yaml parser in python. Comments and sections
will remain in the passwords.yml template for additional documentation
if the user wishes to populate the file themselves.

Use SystemRandom and clean up the docs a bit to not use pronouns.

Co-Authored-By: Steven Dake <stdake@cisco.com>

Closes-Bug: #1559266
Change-Id: I2932d592df8871f1b7811059206d0b4d0553a687
This commit is contained in:
SamYaple 2016-03-16 21:45:25 +00:00 committed by Sam Yaple
parent ff3095f56e
commit f03e06e09b
7 changed files with 101 additions and 41 deletions

View File

@ -165,6 +165,7 @@ function configure_operator {
tox -c ${KOLLA_PATH}/tox.ini -e genconfig tox -c ${KOLLA_PATH}/tox.ini -e genconfig
cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla
${KOLLA_PATH}/tools/generate_passwords.py
mkdir -p /usr/share/kolla mkdir -p /usr/share/kolla
chown -R vagrant: /etc/kolla /usr/share/kolla chown -R vagrant: /etc/kolla /usr/share/kolla

View File

@ -390,6 +390,15 @@ the Ansible inventory file can be found in the Ansible `inventory introduction
All variables for the environment can be specified in the files: All variables for the environment can be specified in the files:
"/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml" "/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml"
Generate passwords for /etc/kolla/passwords.yml using the provided
kolla-genpwd tool. The tool will populate all empty fields in the
"/etc/kolla/passwords.yml" file using randomly generated values to secure the
deployment. Optionally, the passwords may be populate in the file by hand.
::
kolla-genpwd
Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these
parameters: kolla_base_distro, kolla_install_type. parameters: kolla_base_distro, kolla_install_type.

View File

@ -1,66 +1,62 @@
--- ---
# TODO(SamYaple): This file should have generated values by default. Propose
# Ansible vault for locking down the secrets properly.
################### ###################
# Ceph options # Ceph options
#################### ####################
ceph_cluster_fsid: "5fba2fbc-551d-11e5-a8ce-01ef4c5cf93c" # These options must be UUID4 values in string format
rbd_secret_uuid: "bbc5b4d5-6fca-407d-807d-06a4f4a7bccb" # XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
ceph_cluster_fsid:
rbd_secret_uuid:
################### ###################
# Database options # Database options
#################### ####################
database_password: "password" database_password:
#################### ####################
# Docker options # Docker options
#################### ####################
# This should only be set if you require a password for your Docker registry
docker_registry_password: docker_registry_password:
#################### ####################
# OpenStack options # OpenStack options
#################### ####################
keystone_admin_password: "password" keystone_admin_password:
keystone_database_password: "password" keystone_database_password:
glance_database_password: "password" glance_database_password:
glance_keystone_password: "password" glance_keystone_password:
nova_database_password: "password" nova_database_password:
nova_api_database_password: "password" nova_api_database_password:
nova_keystone_password: "password" nova_keystone_password:
neutron_database_password: "password" neutron_database_password:
neutron_keystone_password: "password" neutron_keystone_password:
metadata_secret: "password" metadata_secret:
cinder_database_password: "password" cinder_database_password:
cinder_keystone_password: "password" cinder_keystone_password:
swift_keystone_password: "password" swift_keystone_password:
swift_hash_path_suffix: "kolla" swift_hash_path_suffix:
swift_hash_path_prefix: "kolla" swift_hash_path_prefix:
heat_database_password: "password" heat_database_password:
heat_keystone_password: "password" heat_keystone_password:
heat_domain_admin_password: "password" heat_domain_admin_password:
murano_database_password: "password" murano_database_password:
murano_keystone_password: "password" murano_keystone_password:
ironic_database_password: "password" ironic_database_password:
ironic_keystone_password: "password" ironic_keystone_password:
magnum_database_password: "password" magnum_database_password:
magnum_keystone_password: "password" magnum_keystone_password:
mistral_database_password: "password" mistral_database_password:
mistral_keystone_password: "password" mistral_keystone_password:
horizon_secret_key: "password" horizon_secret_key: "password"
@ -72,12 +68,11 @@ memcache_secret_key: "password"
#################### ####################
# RabbitMQ options # RabbitMQ options
#################### ####################
rabbitmq_password: "password" rabbitmq_password:
rabbitmq_cluster_cookie: "password" rabbitmq_cluster_cookie:
#################### ####################
# HAProxy options # HAProxy options
#################### ####################
haproxy_password: "password" haproxy_password:
keepalived_password: "password" keepalived_password:

51
kolla/cmd/genpwd.py Executable file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env python
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import random
import string
import uuid
import yaml
def main():
# These keys should be random uuids
uuid_keys = ['ceph_cluster_fsid', 'rbd_secret_uuid']
# If these keys are None, leave them as None
blank_keys = ['docker_registry_password']
# length of password
length = 40
with open('/etc/kolla/passwords.yml', 'r') as f:
passwords = yaml.load(f.read())
for k, v in passwords.items():
if v is None:
if k in blank_keys and v is None:
continue
if k in uuid_keys:
passwords[k] = str(uuid.uuid4())
else:
passwords[k] = ''.join([
random.SystemRandom().choice(
string.ascii_letters + string.digits)
for n in range(length)
])
with open('/etc/kolla/passwords.yml', 'w') as f:
f.write(yaml.dump(passwords, default_flow_style=False))
if __name__ == '__main__':
main()

View File

@ -35,6 +35,7 @@ scripts =
[entry_points] [entry_points]
console_scripts = console_scripts =
kolla-build = kolla.cmd.build:main kolla-build = kolla.cmd.build:main
kolla-genpwd = kolla.cmd.genpwd:main
oslo.config.opts = oslo.config.opts =
kolla = kolla.opts:list_opts kolla = kolla.opts:list_opts

1
tools/generate_passwords.py Symbolic link
View File

@ -0,0 +1 @@
../kolla/cmd/genpwd.py

View File

@ -13,6 +13,8 @@ function setup_config {
tox -e genconfig tox -e genconfig
# Copy configs # Copy configs
sudo cp -a etc/kolla /etc/ sudo cp -a etc/kolla /etc/
# Generate passwords
sudo tools/generate_passwords.py
# Use Infra provided pypi # Use Infra provided pypi
echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header