From 83eaf03d990c73c597b49419dc38fdc08ecabcb6 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 21 Oct 2020 18:44:33 +0300 Subject: [PATCH] Add default simple key to secrets Currently we deploy barbican with weird crypto key. We should generate unique one with secrets. Also we define `barbican_ceilometer_enabled` variable to avoid notifications queue overflow caused by absent listener. Needed-By: https://review.opendev.org/759084 Change-Id: I1732916102dd8cc387d65566f3d3f96038e30e40 --- etc/openstack_deploy/user_secrets.yml | 1 + inventory/group_vars/barbican_all.yml | 1 + releasenotes/notes/token-gen-key-0395ca56015506d1.yaml | 5 +++++ scripts/pw-token-gen.py | 6 +++--- 4 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/token-gen-key-0395ca56015506d1.yaml diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml index b4c156afa8..c9ff8115ad 100644 --- a/etc/openstack_deploy/user_secrets.yml +++ b/etc/openstack_deploy/user_secrets.yml @@ -235,6 +235,7 @@ barbican_oslomsg_rpc_password: # your user variables. #barbican_oslomsg_notify_password: barbican_service_password: +barbican_simple_crypto_key: ## Blazar Options blazar_oslomsg_rpc_password: diff --git a/inventory/group_vars/barbican_all.yml b/inventory/group_vars/barbican_all.yml index c19fb9319d..e0169480b7 100644 --- a/inventory/group_vars/barbican_all.yml +++ b/inventory/group_vars/barbican_all.yml @@ -16,3 +16,4 @@ barbican_service_region: "{{ service_region }}" barbican_service_in_ldap: "{{ service_ldap_backend_enabled }}" barbican_keystone_auth: yes +barbican_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}" diff --git a/releasenotes/notes/token-gen-key-0395ca56015506d1.yaml b/releasenotes/notes/token-gen-key-0395ca56015506d1.yaml new file mode 100644 index 0000000000..da244c62ec --- /dev/null +++ b/releasenotes/notes/token-gen-key-0395ca56015506d1.yaml @@ -0,0 +1,5 @@ +--- +other: + - | + pw-token-gen.py script will generate always 32 char string instead of + random choice between 24 or 32 length. diff --git a/scripts/pw-token-gen.py b/scripts/pw-token-gen.py index 6638d027ea..6b30095f68 100755 --- a/scripts/pw-token-gen.py +++ b/scripts/pw-token-gen.py @@ -42,7 +42,7 @@ class CredentialGenerator(object): password: 16 - 64 character string secret: 16 - 64 character string token: 64 - 72 character string - key: 24, or 32 character string (Needs to be AES compatible) + key: 32 character string (Needs to be AES compatible) Usage: >>> generator = CredentialGenerator() @@ -96,14 +96,14 @@ class CredentialGenerator(object): return encoded_bytes[:random.randrange(64, 72)] def _key_gen(self, encoded_bytes): - """Returns ``str`` with a length of 24 or 32. + """Returns ``str`` with a length of 32. Length restriction are required for key type secrets because of requirements in AES. :param encoded_bytes: ``str`` must be at least 32 charters long """ - return encoded_bytes[:random.choice([24, 32])] + return encoded_bytes[:32] def args():