diff --git a/ironic/conf/conductor.py b/ironic/conf/conductor.py index 976130e997..cabd796b29 100644 --- a/ironic/conf/conductor.py +++ b/ironic/conf/conductor.py @@ -258,8 +258,7 @@ opts = [ help=_('Password hash algorithm to be used for the rescue ' 'password.')), cfg.BoolOpt('require_rescue_password_hashed', - # TODO(TheJulia): Change this to True in Victoria. - default=False, + default=True, mutable=True, help=_('Option to cause the conductor to not fallback to ' 'an un-hashed version of the rescue password, ' diff --git a/releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml b/releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml new file mode 100644 index 0000000000..e34eb6f34f --- /dev/null +++ b/releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml @@ -0,0 +1,5 @@ +upgrade: + - | + Ironic now requires rescue passwords to be hashed. Operators who would like + to continue using unhashed passwords must set + `[conductor]/require_rescue_password_hashed` to ``false``.