Add operation: reset keystone password
Add an operations page to contain a list of operational tasks, each of which will have its own page. Add the first such task (reset Keystone password). An RFE bug was filed against 'charm-keystone' requesting an equivalent action. Related-Bug: #1927280 Change-Id: I2fa5e7300a0972e04fa5be7956b65d6c2be1efc8
This commit is contained in:
parent
990a38ca10
commit
62fce0527a
|
@ -77,6 +77,7 @@ OpenStack Charms usage. To help improve it you can `file an issue`_ or
|
|||
app-managing-power-events
|
||||
ceph-operations
|
||||
deferred-events
|
||||
operational-tasks
|
||||
|
||||
.. toctree::
|
||||
:caption: Storage
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
=================
|
||||
Operational tasks
|
||||
=================
|
||||
|
||||
This page lists operational tasks that can be applied to a Charmed OpenStack
|
||||
cloud. Generally speaking, the cloud should be in a healthy state prior to
|
||||
having these operations applied to it.
|
||||
|
||||
* `Change Keystone admin password`_
|
||||
|
||||
.. LINKS
|
||||
.. _Change Keystone admin password: ops-change-keystone-password.html
|
|
@ -0,0 +1,104 @@
|
|||
:orphan:
|
||||
|
||||
==============================
|
||||
Change Keystone admin password
|
||||
==============================
|
||||
|
||||
Preamble
|
||||
--------
|
||||
|
||||
There are valid use cases for resetting the Keystone administrator password on
|
||||
a running cloud. For example, the password may have been unintentionally
|
||||
exposed to a third-party during a troubleshooting session (e.g. directly on
|
||||
screen, remote screen-sharing, viewing of log files, etc.).
|
||||
|
||||
.. warning::
|
||||
|
||||
This procedure will cause downtime for Keystone, the cloud's central
|
||||
authentication service. Many core services will therefore be impacted. Plan
|
||||
for a short maintenance window (~15 minutes).
|
||||
|
||||
It is recommended to first test this procedure on a staging cloud.
|
||||
|
||||
Procedure
|
||||
---------
|
||||
|
||||
Confirm the admin user context
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Ensure that the current user is user 'admin':
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
env | grep OS_USERNAME
|
||||
OS_USERNAME=admin
|
||||
|
||||
If it's not, source the appropriate cloud admin init file (e.g. ``openrc`` or
|
||||
``novarc``).
|
||||
|
||||
Obtain the current password
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Obtain the current password with:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
juju run --unit keystone/leader leader-get admin_passwd
|
||||
|
||||
Change the password
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Generate a 16-character password string with the :command:`pwgen` utility:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
pwgen -s 16 1
|
||||
|
||||
Change the password with the below command. When prompted, enter the current
|
||||
password and then the new password (i.e. the generated string).
|
||||
|
||||
.. caution::
|
||||
|
||||
Once the next command completes successfully the cloud will no longer be
|
||||
able to authenticate requests by the OpenStack CLI clients or the cloud's
|
||||
core services (i.e. Cinder, Glance, Neutron, Compute, Nova Cloud
|
||||
Controller).
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
openstack user password set
|
||||
Current Password: ****************
|
||||
New Password: ****************
|
||||
Repeat New Password: ****************
|
||||
|
||||
The entered data will not echo back to the screen.
|
||||
|
||||
.. note::
|
||||
|
||||
Command options ``--original-password`` and ``--password`` are available but
|
||||
can leak sensitive information to the system logs.
|
||||
|
||||
Inform the keystone charm
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Inform the keystone charm of the new password:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
juju run -u keystone/leader -- leader-set 'admin_passwd=<new-password>'
|
||||
|
||||
Verification
|
||||
~~~~~~~~~~~~
|
||||
|
||||
Verify the resumption of normal cloud operations by running a routine battery
|
||||
of tests. The creation of a VM is a good choice.
|
||||
|
||||
Update any user-facing tools
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Any cloud init files (e.g. ``novarc``) that are hardcoded with the old admin
|
||||
password should be updated to guarantee continued administrative access to the
|
||||
cloud by admin-level operators.
|
||||
|
||||
Refresh any browser-cached passwords or password-management plugins (e.g.
|
||||
Bitwarden, LastPass) to ensure successful cloud dashboard (Horizon) logins.
|
Loading…
Reference in New Issue