Add operation: reset keystone password

Add an operations page to contain a list of operational
tasks, each of which will have its own page.

Add the first such task (reset Keystone password).

An RFE bug was filed against 'charm-keystone' requesting
an equivalent action.

Related-Bug: #1927280
Change-Id: I2fa5e7300a0972e04fa5be7956b65d6c2be1efc8
This commit is contained in:
Peter Matulis 2021-05-05 16:19:01 -04:00
parent 990a38ca10
commit 62fce0527a
3 changed files with 117 additions and 0 deletions

View File

@ -77,6 +77,7 @@ OpenStack Charms usage. To help improve it you can `file an issue`_ or
app-managing-power-events
ceph-operations
deferred-events
operational-tasks
.. toctree::
:caption: Storage

View File

@ -0,0 +1,12 @@
=================
Operational tasks
=================
This page lists operational tasks that can be applied to a Charmed OpenStack
cloud. Generally speaking, the cloud should be in a healthy state prior to
having these operations applied to it.
* `Change Keystone admin password`_
.. LINKS
.. _Change Keystone admin password: ops-change-keystone-password.html

View File

@ -0,0 +1,104 @@
:orphan:
==============================
Change Keystone admin password
==============================
Preamble
--------
There are valid use cases for resetting the Keystone administrator password on
a running cloud. For example, the password may have been unintentionally
exposed to a third-party during a troubleshooting session (e.g. directly on
screen, remote screen-sharing, viewing of log files, etc.).
.. warning::
This procedure will cause downtime for Keystone, the cloud's central
authentication service. Many core services will therefore be impacted. Plan
for a short maintenance window (~15 minutes).
It is recommended to first test this procedure on a staging cloud.
Procedure
---------
Confirm the admin user context
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ensure that the current user is user 'admin':
.. code-block:: none
env | grep OS_USERNAME
OS_USERNAME=admin
If it's not, source the appropriate cloud admin init file (e.g. ``openrc`` or
``novarc``).
Obtain the current password
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Obtain the current password with:
.. code-block:: none
juju run --unit keystone/leader leader-get admin_passwd
Change the password
~~~~~~~~~~~~~~~~~~~
Generate a 16-character password string with the :command:`pwgen` utility:
.. code-block:: none
pwgen -s 16 1
Change the password with the below command. When prompted, enter the current
password and then the new password (i.e. the generated string).
.. caution::
Once the next command completes successfully the cloud will no longer be
able to authenticate requests by the OpenStack CLI clients or the cloud's
core services (i.e. Cinder, Glance, Neutron, Compute, Nova Cloud
Controller).
.. code-block:: none
openstack user password set
Current Password: ****************
New Password: ****************
Repeat New Password: ****************
The entered data will not echo back to the screen.
.. note::
Command options ``--original-password`` and ``--password`` are available but
can leak sensitive information to the system logs.
Inform the keystone charm
~~~~~~~~~~~~~~~~~~~~~~~~~
Inform the keystone charm of the new password:
.. code-block:: none
juju run -u keystone/leader -- leader-set 'admin_passwd=<new-password>'
Verification
~~~~~~~~~~~~
Verify the resumption of normal cloud operations by running a routine battery
of tests. The creation of a VM is a good choice.
Update any user-facing tools
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Any cloud init files (e.g. ``novarc``) that are hardcoded with the old admin
password should be updated to guarantee continued administrative access to the
cloud by admin-level operators.
Refresh any browser-cached passwords or password-management plugins (e.g.
Bitwarden, LastPass) to ensure successful cloud dashboard (Horizon) logins.