openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Remove unsafe "unset" defaults 

All of our sensitive parameters are defaulted to easily predictable
values, which is very bad from a security perspective because we don't
force clients to make sane choices thus risk deploying with the
predictable default values.  tripleoclient supports generating random
values for all of these, so remove the defaults, for non-tripleoclient
usage we can create a developer-only environment with defaults.

Related-Bug: #1516027
Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c
Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
This commit is contained in:
Steven Hardy 2015-12-09 18:23:08 +00:00
parent 99bd9970d6
commit 293f19b2a4
5 changed files with 0 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
overcloud.yaml
View File

@ -13,7 +13,6 @@ parameters:
# Common parameters (not specific to a role) # Common parameters (not specific to a role)
AdminPassword: AdminPassword:
default: unset
description: The password for the keystone admin account, used for monitoring, querying neutron etc. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string type: string
hidden: true hidden: true
@ -22,12 +21,10 @@ parameters:
description: The ceilometer backend type. description: The ceilometer backend type.
type: string type: string
CeilometerMeteringSecret: CeilometerMeteringSecret:
default: unset
description: Secret shared by the ceilometer services. description: Secret shared by the ceilometer services.
type: string type: string
hidden: true hidden: true
CeilometerPassword: CeilometerPassword:
default: unset
description: The password for the ceilometer service account. description: The password for the ceilometer service account.
type: string type: string
hidden: true hidden: true
@ -138,7 +135,6 @@ parameters:
description: The tenant network type for Neutron, either gre or vxlan. description: The tenant network type for Neutron, either gre or vxlan.
type: string type: string
NeutronPassword: NeutronPassword:
default: unset
description: The password for the neutron service account, used by neutron agents. description: The password for the neutron service account, used by neutron agents.
type: string type: string
hidden: true hidden: true
@ -169,7 +165,6 @@ parameters:
description: Whether to configure Neutron Distributed Virtual Routers description: Whether to configure Neutron Distributed Virtual Routers
type: string type: string
NeutronMetadataProxySharedSecret: NeutronMetadataProxySharedSecret:
default: 'unset'
description: Shared secret to prevent spoofing description: Shared secret to prevent spoofing
type: string type: string
hidden: true hidden: true
@ -227,7 +222,6 @@ parameters:
default: 1 default: 1
description: The number of neutron dhcp agents to schedule per network description: The number of neutron dhcp agents to schedule per network
NovaPassword: NovaPassword:
default: unset
description: The password for the nova service account, used by nova-api. description: The password for the nova service account, used by nova-api.
type: string type: string
hidden: true hidden: true
@ -279,7 +273,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
SnmpdReadonlyUserPassword: SnmpdReadonlyUserPassword:
default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
hidden: true hidden: true
@ -298,7 +291,6 @@ parameters:
# Controller-specific params # Controller-specific params
AdminToken: AdminToken:
default: unset
description: The keystone auth secret. description: The keystone auth secret.
type: string type: string
hidden: true hidden: true
@ -319,7 +311,6 @@ parameters:
CinderEnableNfsBackend is true. CinderEnableNfsBackend is true.
type: comma_delimited_list type: comma_delimited_list
CinderPassword: CinderPassword:
default: unset
description: The password for the cinder service account, used by cinder-api. description: The password for the cinder service account, used by cinder-api.
type: string type: string
hidden: true hidden: true
@ -416,7 +407,6 @@ parameters:
type: string type: string
default: noop default: noop
GlancePassword: GlancePassword:
default: unset
description: The password for the glance service account, used by the glance services. description: The password for the glance service account, used by the glance services.
type: string type: string
hidden: true hidden: true
@ -428,14 +418,12 @@ parameters:
constraints: constraints:
- allowed_values: ['swift', 'file', 'rbd'] - allowed_values: ['swift', 'file', 'rbd']
HeatPassword: HeatPassword:
default: unset
description: The password for the Heat service account, used by the Heat services. description: The password for the Heat service account, used by the Heat services.
type: string type: string
hidden: true hidden: true
HeatStackDomainAdminPassword: HeatStackDomainAdminPassword:
description: Password for heat_domain_admin user. description: Password for heat_domain_admin user.
type: string type: string
default: ''
hidden: true hidden: true
InstanceNameTemplate: InstanceNameTemplate:
default: 'instance-%08x' default: 'instance-%08x'
@ -515,12 +503,10 @@ parameters:
This should be int_public when a VLAN is being used. This should be int_public when a VLAN is being used.
type: string type: string
SwiftHashSuffix: SwiftHashSuffix:
default: unset
description: A random string to be used as a salt when hashing to determine mappings in the ring. description: A random string to be used as a salt when hashing to determine mappings in the ring.
type: string type: string
hidden: true hidden: true
SwiftPassword: SwiftPassword:
default: unset
description: The password for the swift service account, used by the swift proxy services. description: The password for the swift service account, used by the swift proxy services.
type: string type: string
hidden: true hidden: true

2
puppet/cinder-storage.yaml
View File

@ -17,7 +17,6 @@ parameters:
description: The size of the loopback file used by the cinder LVM driver. description: The size of the loopback file used by the cinder LVM driver.
type: number type: number
CinderPassword: CinderPassword:
default: unset
description: The password for the cinder service and db account, used by cinder-api. description: The password for the cinder service and db account, used by cinder-api.
type: string type: string
hidden: true hidden: true
@ -70,7 +69,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
SnmpdReadonlyUserPassword: SnmpdReadonlyUserPassword:
default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
hidden: true hidden: true

7
puppet/compute.yaml
View File

@ -5,7 +5,6 @@ description: >
parameters: parameters:
AdminPassword: AdminPassword:
default: unset
description: The password for the keystone admin account, used for monitoring, querying neutron etc. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string type: string
hidden: true hidden: true
@ -16,12 +15,10 @@ parameters:
constraints: constraints:
- allowed_values: ['', Present] - allowed_values: ['', Present]
CeilometerMeteringSecret: CeilometerMeteringSecret:
default: unset
description: Secret shared by the ceilometer services. description: Secret shared by the ceilometer services.
type: string type: string
hidden: true hidden: true
CeilometerPassword: CeilometerPassword:
default: unset
description: The password for the ceilometer service account. description: The password for the ceilometer service account.
type: string type: string
hidden: true hidden: true
@ -110,7 +107,6 @@ parameters:
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings). VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
type: comma_delimited_list type: comma_delimited_list
NeutronPassword: NeutronPassword:
default: unset
description: The password for the neutron service account, used by neutron agents. description: The password for the neutron service account, used by neutron agents.
type: string type: string
hidden: true hidden: true
@ -147,7 +143,6 @@ parameters:
default: 'False' default: 'False'
type: string type: string
NeutronMetadataProxySharedSecret: NeutronMetadataProxySharedSecret:
default: 'unset'
description: Shared secret to prevent spoofing description: Shared secret to prevent spoofing
type: string type: string
hidden: true hidden: true
@ -212,7 +207,6 @@ parameters:
description: Whether to enable or not the Rbd backend for Nova description: Whether to enable or not the Rbd backend for Nova
type: boolean type: boolean
NovaPassword: NovaPassword:
default: unset
description: The password for the nova service account, used by nova-api. description: The password for the nova service account, used by nova-api.
type: string type: string
hidden: true hidden: true
@ -258,7 +252,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
SnmpdReadonlyUserPassword: SnmpdReadonlyUserPassword:
default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
hidden: true hidden: true

14
puppet/controller.yaml
View File

@ -10,12 +10,10 @@ parameters:
type: string type: string
hidden: true hidden: true
AdminPassword: AdminPassword:
default: unset
description: The password for the keystone admin account, used for monitoring, querying neutron etc. description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string type: string
hidden: true hidden: true
AdminToken: AdminToken:
default: unset
description: The keystone auth secret and db password. description: The keystone auth secret and db password.
type: string type: string
hidden: true hidden: true
@ -27,12 +25,10 @@ parameters:
description: The ceilometer backend type. description: The ceilometer backend type.
type: string type: string
CeilometerMeteringSecret: CeilometerMeteringSecret:
default: unset
description: Secret shared by the ceilometer services. description: Secret shared by the ceilometer services.
type: string type: string
hidden: true hidden: true
CeilometerPassword: CeilometerPassword:
default: unset
description: The password for the ceilometer service and db account. description: The password for the ceilometer service and db account.
type: string type: string
hidden: true hidden: true
@ -72,7 +68,6 @@ parameters:
CinderEnableNfsBackend is true. CinderEnableNfsBackend is true.
type: comma_delimited_list type: comma_delimited_list
CinderPassword: CinderPassword:
default: unset
description: The password for the cinder service and db account, used by cinder-api. description: The password for the cinder service and db account, used by cinder-api.
type: string type: string
hidden: true hidden: true
@ -170,7 +165,6 @@ parameters:
type: string type: string
default: '' default: ''
GlancePassword: GlancePassword:
default: unset
description: The password for the glance service and db account, used by the glance services. description: The password for the glance service and db account, used by the glance services.
type: string type: string
hidden: true hidden: true
@ -210,14 +204,12 @@ parameters:
description: Syslog address where HAproxy will send its log description: Syslog address where HAproxy will send its log
type: string type: string
HeatPassword: HeatPassword:
default: unset
description: The password for the Heat service and db account, used by the Heat services. description: The password for the Heat service and db account, used by the Heat services.
type: string type: string
hidden: true hidden: true
HeatStackDomainAdminPassword: HeatStackDomainAdminPassword:
description: Password for heat_domain_admin user. description: Password for heat_domain_admin user.
type: string type: string
default: ''
hidden: true hidden: true
HeatAuthEncryptionKey: HeatAuthEncryptionKey:
description: Auth encryption key for heat-engine description: Auth encryption key for heat-engine
@ -367,7 +359,6 @@ parameters:
description: Whether to configure Neutron Distributed Virtual Routers description: Whether to configure Neutron Distributed Virtual Routers
type: string type: string
NeutronMetadataProxySharedSecret: NeutronMetadataProxySharedSecret:
default: 'unset'
description: Shared secret to prevent spoofing description: Shared secret to prevent spoofing
type: string type: string
hidden: true hidden: true
@ -430,7 +421,6 @@ parameters:
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings). VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
type: comma_delimited_list type: comma_delimited_list
NeutronPassword: NeutronPassword:
default: unset
description: The password for the neutron service and db account, used by neutron agents. description: The password for the neutron service and db account, used by neutron agents.
type: string type: string
hidden: true hidden: true
@ -482,7 +472,6 @@ parameters:
type: string type: string
default: '' default: ''
NovaPassword: NovaPassword:
default: unset
description: The password for the nova service and db account, used by nova-api. description: The password for the nova service and db account, used by nova-api.
type: string type: string
hidden: true hidden: true
@ -542,12 +531,10 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
SnmpdReadonlyUserPassword: SnmpdReadonlyUserPassword:
default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
hidden: true hidden: true
SwiftHashSuffix: SwiftHashSuffix:
default: unset
description: A random string to be used as a salt when hashing to determine mappings description: A random string to be used as a salt when hashing to determine mappings
in the ring. in the ring.
hidden: true hidden: true
@ -565,7 +552,6 @@ parameters:
description: Partition Power to use when building Swift rings description: Partition Power to use when building Swift rings
type: number type: number
SwiftPassword: SwiftPassword:
default: unset
description: The password for the swift service account, used by the swift proxy description: The password for the swift service account, used by the swift proxy
services. services.
hidden: true hidden: true

2
puppet/swift-storage.yaml
View File

@ -7,7 +7,6 @@ parameters:
constraints: constraints:
- custom_constraint: nova.flavor - custom_constraint: nova.flavor
HashSuffix: HashSuffix:
default: unset
description: A random string to be used as a salt when hashing to determine mappings description: A random string to be used as a salt when hashing to determine mappings
in the ring. in the ring.
hidden: true hidden: true
@ -40,7 +39,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
SnmpdReadonlyUserPassword: SnmpdReadonlyUserPassword:
default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string type: string
hidden: true hidden: true