Skip cred-key setup when keys already exist

This change adds a conditional to the _fernet_setup to avoid overwriting credential-keys when keystone-manage credential-setup is ran and there are already existing credential keys. This will mitigate issues where encrypted credential blobs in keystone were becoming un-decryptable when the credential keys were being overridden or lost upon upgrading. Change-Id: Iac2b080d5d44bdf07534126419a1d5dd86055d6b
2019-04-26 11:12:48 -05:00 · 2019-04-26 11:12:48 -05:00 · 3b14e77d2a
commit 3b14e77d2a
parent 0f459ecfee
1 changed files with 5 additions and 0 deletions
--- a/keystone/templates/bin/_fernet-manage.py.tpl
+++ b/keystone/templates/bin/_fernet-manage.py.tpl
@ -155,6 +155,11 @@ def main():
                 FERNET_DIR)
        write_to_files(secret['data'])

+    if args.command == 'credential_setup':
+        if secret.get('data', False):
+            LOG.info('Credential keys already exist, skipping setup...')
+            sys.exit(0)
+
    execute_command(args.command)

    LOG.info("Updating data for '%s' secret.", SECRET_NAME)