diff --git a/deploy-guide/source/index.rst b/deploy-guide/source/index.rst index 53414fd..f286572 100644 --- a/deploy-guide/source/index.rst +++ b/deploy-guide/source/index.rst @@ -77,6 +77,7 @@ OpenStack Charms usage. To help improve it you can `file an issue`_ or app-managing-power-events ceph-operations deferred-events + operational-tasks .. toctree:: :caption: Storage diff --git a/deploy-guide/source/operational-tasks.rst b/deploy-guide/source/operational-tasks.rst new file mode 100644 index 0000000..a26c0de --- /dev/null +++ b/deploy-guide/source/operational-tasks.rst @@ -0,0 +1,12 @@ +================= +Operational tasks +================= + +This page lists operational tasks that can be applied to a Charmed OpenStack +cloud. Generally speaking, the cloud should be in a healthy state prior to +having these operations applied to it. + +* `Change Keystone admin password`_ + +.. LINKS +.. _Change Keystone admin password: ops-change-keystone-password.html diff --git a/deploy-guide/source/ops-change-keystone-password.rst b/deploy-guide/source/ops-change-keystone-password.rst new file mode 100644 index 0000000..297eca9 --- /dev/null +++ b/deploy-guide/source/ops-change-keystone-password.rst @@ -0,0 +1,104 @@ +:orphan: + +============================== +Change Keystone admin password +============================== + +Preamble +-------- + +There are valid use cases for resetting the Keystone administrator password on +a running cloud. For example, the password may have been unintentionally +exposed to a third-party during a troubleshooting session (e.g. directly on +screen, remote screen-sharing, viewing of log files, etc.). + +.. warning:: + + This procedure will cause downtime for Keystone, the cloud's central + authentication service. Many core services will therefore be impacted. Plan + for a short maintenance window (~15 minutes). + + It is recommended to first test this procedure on a staging cloud. + +Procedure +--------- + +Confirm the admin user context +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Ensure that the current user is user 'admin': + +.. code-block:: none + + env | grep OS_USERNAME + OS_USERNAME=admin + +If it's not, source the appropriate cloud admin init file (e.g. ``openrc`` or +``novarc``). + +Obtain the current password +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Obtain the current password with: + +.. code-block:: none + + juju run --unit keystone/leader leader-get admin_passwd + +Change the password +~~~~~~~~~~~~~~~~~~~ + +Generate a 16-character password string with the :command:`pwgen` utility: + +.. code-block:: none + + pwgen -s 16 1 + +Change the password with the below command. When prompted, enter the current +password and then the new password (i.e. the generated string). + +.. caution:: + + Once the next command completes successfully the cloud will no longer be + able to authenticate requests by the OpenStack CLI clients or the cloud's + core services (i.e. Cinder, Glance, Neutron, Compute, Nova Cloud + Controller). + +.. code-block:: none + + openstack user password set + Current Password: **************** + New Password: **************** + Repeat New Password: **************** + +The entered data will not echo back to the screen. + +.. note:: + + Command options ``--original-password`` and ``--password`` are available but + can leak sensitive information to the system logs. + +Inform the keystone charm +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Inform the keystone charm of the new password: + +.. code-block:: none + + juju run -u keystone/leader -- leader-set 'admin_passwd=' + +Verification +~~~~~~~~~~~~ + +Verify the resumption of normal cloud operations by running a routine battery +of tests. The creation of a VM is a good choice. + +Update any user-facing tools +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Any cloud init files (e.g. ``novarc``) that are hardcoded with the old admin +password should be updated to guarantee continued administrative access to the +cloud by admin-level operators. + +Refresh any browser-cached passwords or password-management plugins (e.g. +Bitwarden, LastPass) to ensure successful cloud dashboard (Horizon) logins.