Do not rotate CephX secrets
we do not want the CephX keys to rotate by default, some cannot
be changed at all after the cluster has been deployed
Change-Id: Iefe87eb869e248ea1e98d9ae34cdeeea57aa5426
(cherry picked from commit 621ebcea78
)
This commit is contained in:
parent
17b2e731a9
commit
6945b14796
|
@ -154,6 +154,10 @@ DO_NOT_ROTATE_LIST = (
|
||||||
'KeystoneFernetKey0',
|
'KeystoneFernetKey0',
|
||||||
'KeystoneFernetKey1',
|
'KeystoneFernetKey1',
|
||||||
'KeystoneFernetKeys',
|
'KeystoneFernetKeys',
|
||||||
|
'CephClientKey',
|
||||||
|
'CephClusterFSID',
|
||||||
|
'CephManilaClientKey',
|
||||||
|
'CephRgwKey',
|
||||||
)
|
)
|
||||||
|
|
||||||
PLAN_NAME_PATTERN = '^[a-zA-Z0-9-]+$'
|
PLAN_NAME_PATTERN = '^[a-zA-Z0-9-]+$'
|
||||||
|
|
|
@ -52,13 +52,12 @@ def generate_passwords(mistralclient=None, stack_env=None,
|
||||||
if (stack_env and name in stack_env.get('parameter_defaults', {}) and
|
if (stack_env and name in stack_env.get('parameter_defaults', {}) and
|
||||||
not rotate_passwords):
|
not rotate_passwords):
|
||||||
passwords[name] = stack_env['parameter_defaults'][name]
|
passwords[name] = stack_env['parameter_defaults'][name]
|
||||||
elif name.startswith("Ceph"):
|
elif name in ('CephClientKey', 'CephManilaClientKey', 'CephRgwKey'):
|
||||||
if name == "CephClusterFSID":
|
# CephX keys aren't random strings
|
||||||
# The FSID must be a UUID
|
passwords[name] = create_cephx_key()
|
||||||
passwords[name] = six.text_type(uuid.uuid4())
|
elif name == "CephClusterFSID":
|
||||||
else:
|
# The FSID must be a UUID
|
||||||
# CephX keys aren't random strings
|
passwords[name] = six.text_type(uuid.uuid4())
|
||||||
passwords[name] = create_cephx_key()
|
|
||||||
# Since by default passlib.pwd.genword uses all digits and ascii upper
|
# Since by default passlib.pwd.genword uses all digits and ascii upper
|
||||||
# & lowercase letters, it provides ~5.95 entropy per character.
|
# & lowercase letters, it provides ~5.95 entropy per character.
|
||||||
# Make the length of the default authkey 4096 bytes, which should give
|
# Make the length of the default authkey 4096 bytes, which should give
|
||||||
|
|
Loading…
Reference in New Issue