Update puppet-keystone to handle $ in admin password

Escape special characters when executing the keystone-manage bootstrap command since the keystone CLI argparse will parse "Madawa$ka1" as "Madawa" which will cause the Keystone ADMIN acct to be created with an incorrect password. Puppet will detect this and attempt to course correct by sending the UPDATE User request to Keystone, which does set the right password but causes other failures in later manifests. Change-Id: I407c6fdde8db01e8d2da0d8e8777667f97164076 Signed-off-by: Don Penney <don.penney@windriver.com>
2018-04-02 17:52:20 -04:00 · 2018-04-02 17:52:20 -04:00 · 471995bc3e
parent 2e5319c05b
commit 471995bc3e
4 changed files with 74 additions and 1 deletions
--- a/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data
+++ b/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/build_srpm.data
@ -1 +1 @@
-TIS_PATCH_VER=5
+TIS_PATCH_VER=6
--- a/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0005-escape-special-characters-in-bootstrap.patch
+++ b/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/0005-escape-special-characters-in-bootstrap.patch
@ -0,0 +1,33 @@
+From f3282651cd75697bbf7be3a07c1093c03964b5e1 Mon Sep 17 00:00:00 2001
+From: Kam Nasim <kam.nasim@windriver.com>
+Date: Mon, 2 Apr 2018 16:20:52 -0400
+Subject: [PATCH] meta patch for
+ 0004-escape-special-characters-in-bootstrap.patch
+
+---
+ SPECS/puppet-keystone.spec | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SPECS/puppet-keystone.spec b/SPECS/puppet-keystone.spec
+index 36cf461..301002a 100644
+--- a/SPECS/puppet-keystone.spec
+++ b/SPECS/puppet-keystone.spec
+@@ -13,6 +13,7 @@ Source0:        https://tarballs.openstack.org/%{name}/%{name}-%{upstream_versio
+ Patch0001:      0001-pike-rebase-squash-titanium-patches.patch
+ Patch0002:      0002-remove-the-Keystone-admin-app.patch
+ Patch0003:      0003-remove-eventlet_bindhost-from-Keystoneconf.patch
+Patch0004:      0004-escape-special-characters-in-bootstrap.patch
+ 
+ BuildArch:      noarch
+ 
+@@ -33,6 +34,7 @@ Puppet module for OpenStack Keystone
+ %patch0001 -p1
+ %patch0002 -p1
+ %patch0003 -p1
+%patch0004 -p1
+ 
+ find . -type f -name ".*" -exec rm {} +
+ find . -size 0 -exec rm {} +
+-- 
+1.8.3.1
+
--- a/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER
+++ b/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/meta_patches/PATCH_ORDER
@ -2,3 +2,4 @@
 0002-squash-titanium-patches.patch
 0003-remove-the-keystone-admin-app.patch
 0004-remove-eventlet_and_bindhost-from-keystoneconf.patch
+0005-escape-special-characters-in-bootstrap.patch
--- a/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0004-escape-special-characters-in-bootstrap.patch
+++ b/devtools/puppet-modules/openstack/puppet-keystone-11.3.0/centos/patches/0004-escape-special-characters-in-bootstrap.patch
@ -0,0 +1,39 @@
+From 70d22113cc8d58b6546cb4917c27f9aae51787c5 Mon Sep 17 00:00:00 2001
+From: Kam Nasim <kam.nasim@windriver.com>
+Date: Mon, 2 Apr 2018 16:13:31 -0400
+Subject: [PATCH] CGTS-9320: config_controller fails when admin pw containing $
+
+Escape special characters when executing the keystone-manage bootstrap
+command since the keystone CLI argparse will parse "Madawa$ka1" as
+"Madawa" which will cause the Keystone ADMIN acct to be created with an
+incorrect password. Puppet will detect this and attempt to course
+correct by sending an UPDATE User request to Keystone, which does set
+the right password but causes other failures in config_controller
+---
+ manifests/init.pp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/manifests/init.pp b/manifests/init.pp
+index d64638c..89af303 100644
+--- a/manifests/init.pp
+++ b/manifests/init.pp
+@@ -1292,10 +1292,15 @@ running as a standalone service, or httpd for being run by a httpd server")
+   }
+ 
+   if $enable_bootstrap {
+    #(NOTE: knasim-wrs): escape special characters in the password otherwise the
+    # keyword-manage bootstrap CLI may parse the password incorrectly, causing
+    # the admin account to be created with an incorrect password
+    $admin_password_escaped = shell_escape($admin_password_real)
+
+     # this requires the database to be up and running and configured
+     # and is only run once, so we don't need to notify the service
+     exec { 'keystone-manage bootstrap':
+-      command     => "keystone-manage bootstrap --bootstrap-password ${admin_password_real}",
+      command     => "keystone-manage bootstrap --bootstrap-password ${admin_password_escaped}",
+       user        => $keystone_user,
+       path        => '/usr/bin',
+       refreshonly => true,
+-- 
+1.8.3.1
+