openstack/openstack-ansible
Code Issues Proposed changes

Add default simple key to secrets

Browse Source 
Currently we deploy barbican with weird crypto key. We should generate
unique one with secrets. Also we define `barbican_ceilometer_enabled`
variable to avoid notifications queue overflow caused by absent listener.

Needed-By: https://review.opendev.org/759084
Change-Id: I1732916102dd8cc387d65566f3d3f96038e30e40
This commit is contained in:
Dmitriy Rabotyagov 2020-10-21 18:44:33 +03:00 committed by Jonathan Rosser
parent 886e586f10
commit 83eaf03d99
4 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/openstack_deploy/user_secrets.yml
View File

@ -235,6 +235,7 @@ barbican_oslomsg_rpc_password:
# your user variables. # your user variables.
#barbican_oslomsg_notify_password: #barbican_oslomsg_notify_password:
barbican_service_password: barbican_service_password:
barbican_simple_crypto_key:
## Blazar Options ## Blazar Options
blazar_oslomsg_rpc_password: blazar_oslomsg_rpc_password:

1
inventory/group_vars/barbican_all.yml
View File

@ -16,3 +16,4 @@
barbican_service_region: "{{ service_region }}" barbican_service_region: "{{ service_region }}"
barbican_service_in_ldap: "{{ service_ldap_backend_enabled }}" barbican_service_in_ldap: "{{ service_ldap_backend_enabled }}"
barbican_keystone_auth: yes barbican_keystone_auth: yes
barbican_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"

5
releasenotes/notes/token-gen-key-0395ca56015506d1.yaml Normal file
View File

@ -0,0 +1,5 @@
---
other:
- |
pw-token-gen.py script will generate always 32 char string instead of
random choice between 24 or 32 length.

6
scripts/pw-token-gen.py
View File

@ -42,7 +42,7 @@ class CredentialGenerator(object):
password: 16 - 64 character string password: 16 - 64 character string
secret: 16 - 64 character string secret: 16 - 64 character string
token: 64 - 72 character string token: 64 - 72 character string
key: 24, or 32 character string (Needs to be AES compatible) key: 32 character string (Needs to be AES compatible)
Usage: Usage:
>>> generator = CredentialGenerator() >>> generator = CredentialGenerator()
@ -96,14 +96,14 @@ class CredentialGenerator(object):
return encoded_bytes[:random.randrange(64, 72)] return encoded_bytes[:random.randrange(64, 72)]
def _key_gen(self, encoded_bytes): def _key_gen(self, encoded_bytes):
"""Returns ``str`` with a length of 24 or 32. """Returns ``str`` with a length of 32.
Length restriction are required for key type secrets because of Length restriction are required for key type secrets because of
requirements in AES. requirements in AES.
:param encoded_bytes: ``str`` must be at least 32 charters long :param encoded_bytes: ``str`` must be at least 32 charters long
""" """
return encoded_bytes[:random.choice([24, 32])] return encoded_bytes[:32]
def args(): def args():