From e15ad2c2c1d50997d68c15ec9c94c0f12953d206 Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Mon, 11 May 2020 17:29:41 +0200 Subject: [PATCH] Do not rotate CephX secrets we do not want the CephX keys to rotate by default, some cannot be changed at all after the cluster has been deployed Change-Id: Iefe87eb869e248ea1e98d9ae34cdeeea57aa5426 (cherry picked from commit d1662ad41108ba3543f9b59277c8dd7e84969f68) --- tripleo_common/constants.py | 4 ++++ tripleo_common/utils/passwords.py | 13 ++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/tripleo_common/constants.py b/tripleo_common/constants.py index 6807365f3..477478fbb 100644 --- a/tripleo_common/constants.py +++ b/tripleo_common/constants.py @@ -156,6 +156,10 @@ DO_NOT_ROTATE_LIST = ( 'KeystoneFernetKey0', 'KeystoneFernetKey1', 'KeystoneFernetKeys', + 'CephClientKey', + 'CephClusterFSID', + 'CephManilaClientKey', + 'CephRgwKey', ) PLAN_NAME_PATTERN = '^[a-zA-Z0-9-]+$' diff --git a/tripleo_common/utils/passwords.py b/tripleo_common/utils/passwords.py index 52ab57363..dcdb8b730 100644 --- a/tripleo_common/utils/passwords.py +++ b/tripleo_common/utils/passwords.py @@ -51,13 +51,12 @@ def generate_passwords(stack_env=None, if (stack_env and name in stack_env.get('parameter_defaults', {}) and not rotate_passwords): passwords[name] = stack_env['parameter_defaults'][name] - elif name.startswith("Ceph"): - if name == "CephClusterFSID": - # The FSID must be a UUID - passwords[name] = six.text_type(uuid.uuid4()) - else: - # CephX keys aren't random strings - passwords[name] = create_cephx_key() + elif name in ('CephClientKey', 'CephManilaClientKey', 'CephRgwKey'): + # CephX keys aren't random strings + passwords[name] = create_cephx_key() + elif name == "CephClusterFSID": + # The FSID must be a UUID + passwords[name] = six.text_type(uuid.uuid4()) # Since by default passlib.pwd.genword uses all digits and ascii upper # & lowercase letters, it provides ~5.95 entropy per character. # Make the length of the default authkey 4096 bytes, which should give