Update keystone service user passwords
Service user passwords will now be updated in keystone if services are reconfigured with new passwords set in config. This behaviour can be overridden. Closes-Bug: #2045990 Change-Id: I91671dda2242255e789b521d19348b0cccec266f
This commit is contained in:
parent
7a29abb590
commit
ffd6e3bf32
@ -1019,6 +1019,10 @@ keystone_public_url: "{{ keystone_external_fqdn | kolla_url(public_protocol, key
|
||||
keystone_admin_user: "admin"
|
||||
keystone_admin_project: "admin"
|
||||
|
||||
# Whether or not to apply changes to service user passwords when services are
|
||||
# reconfigured
|
||||
update_keystone_service_user_passwords: true
|
||||
|
||||
default_project_domain_name: "Default"
|
||||
default_project_domain_id: "default"
|
||||
|
||||
|
@ -30,6 +30,7 @@
|
||||
name: "{{ magnum_trustee_domain_admin }}"
|
||||
domain: "{{ magnum_trustee_domain }}"
|
||||
password: "{{ magnum_keystone_password }}"
|
||||
update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
|
||||
auth: "{{ openstack_magnum_auth }}"
|
||||
endpoint_type: "{{ openstack_interface }}"
|
||||
cacert: "{{ openstack_cacert }}"
|
||||
|
@ -70,6 +70,7 @@
|
||||
default_project: "{{ item.project }}"
|
||||
name: "{{ item.user }}"
|
||||
password: "{{ item.password }}"
|
||||
update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
|
||||
domain: "{{ service_ks_register_domain }}"
|
||||
region_name: "{{ service_ks_register_region_name }}"
|
||||
auth: "{{ service_ks_register_auth }}"
|
||||
|
@ -519,6 +519,9 @@ workaround_ansible_issue_8743: yes
|
||||
# 28800(8 hour), 43200(12 hour), 86400(1 day), 604800(1 week).
|
||||
#fernet_token_expiry: 86400
|
||||
|
||||
# Whether or not to apply changes to service user passwords when services are
|
||||
# reconfigured
|
||||
#update_keystone_service_user_passwords: "true"
|
||||
|
||||
########################
|
||||
# Glance - Image Options
|
||||
|
@ -0,0 +1,29 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Changes to service user passwords in ``passwords.yml`` will now be applied
|
||||
when reconfiguring services.
|
||||
|
||||
This behaviour can reverted by setting
|
||||
``update_keystone_service_user_passwords: false``.
|
||||
|
||||
Fixes `LP#2045990
|
||||
<https://bugs.launchpad.net/kolla-ansible/+bug/2045990>`__
|
||||
upgrade:
|
||||
- |
|
||||
If credentials are updated in ``passwords.yml`` kolla-ansible is now able
|
||||
to update these credentials in the keystone database and in the on disk
|
||||
config files.
|
||||
|
||||
The changes to ``passwords.yml`` are applied once ``kolla-ansible -i
|
||||
INVENTORY`` reconfigure has been run.
|
||||
|
||||
If you want to revert to the old behavior - credentials not automatically
|
||||
updating during reconfigure if they changed in ``passwords.yml`` - you can
|
||||
specify this by setting ``update_keystone_service_user_passwords: false``
|
||||
in your globals.yml.
|
||||
|
||||
Notice that passwords are only changed if you change them in
|
||||
``passwords.yml``. This mechanism is not a complete solution for automatic
|
||||
credential rollover. No passwords are changed if you do not change them
|
||||
inside ``passwords.yml``.
|
Loading…
Reference in New Issue
Block a user