Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 4. Rotating service account passwords

You can periodically rotate service account passwords to improve your security posture.

4.1. Overview of overcloud password management
링크 복사

OpenStack services that run on the overcloud are authenticated by their Identity service (keystone) credentials. These passwords are generated during the initial deployment process and are defined as heat parameters. For example: 

            'MistralPassword',
            'BarbicanPassword',
            'AdminPassword',
            'CeilometerMeteringSecret',
            'ZaqarPassword',
            'NovaPassword',
            'MysqlRootPassword'
Copy to Clipboard Toggle word wrap

You can rotate the passwords used by the service accounts by using a Workflow service (mistral) workflow. However, passwords are not rotated if they are listed in DO_NOT_ROTATE, such as Key Encrypting Keys (KEK) and Fernet keys: 

DO_NOT_ROTATE_LIST = (
    'BarbicanSimpleCryptoKek',
    'SnmpdReadonlyUserPassword',
    'KeystoneCredential0',
    'KeystoneCredential1',
    'KeystoneFernetKey0',
    'KeystoneFernetKey1',
    'KeystoneFernetKeys',
)
Copy to Clipboard Toggle word wrap

These passwords are on the DO_NOT_ROTATE list for the following reasons:

  • BarbicanSimpleCryptoKek - changing this password requires you to re-encrypt all the secrets.
  • KeystoneFernetKey and KeystoneCredential - separate workflows already exist to rotate these. For more information, see {defaultURL}/deploy_fernet_on_the_overcloud/sec-fernet#rotate_the_fernet_keys_using_mistral.

4.2. Rotating the passwords
링크 복사

Use the following procedure to rotate eligible passwords. The next time you complete a stack update by running the openstack overcloud deploy command, your rotated password changes are applied. Any passwords specified in environment files take precedence over password changes that use this method. For information about outage requirements and service impact, see Outage requirements .

Important

Do not use this procedure to rotate the swift password, because this is not currently supported.

  1. As the stack user, run the password rotation workflow. This rotates all passwords, except for those on the DO_NOT_ROTATE list: 

    $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud"}'
    Copy to Clipboard Toggle word wrap

    If you want to rotate only specific passwords, you can use password_list. You can also use this method to rotate passwords on the DO_NOT_ROTATE list. For example: 

    $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud", "password_list": ["SaharaPassword", "ManilaPassword"]}'
    Copy to Clipboard Toggle word wrap 
    The Workflow service Mistral workflow generates new passwords for the service accounts.
    Copy to Clipboard Toggle word wrap
  2. Run a stack update to apply the new passwords.

  3. You can retrieve and view the new passwords, by creating a workflow to retrieve the passwords, and then viewing the output:

    1. Create a new workflow to retrieve the passwords. Note the ID of the workflow: 

      $ openstack workflow execution create tripleo.plan_management.v1.get_passwords '{"container": "overcloud"}'
 +--------------------+---------------------------------------------+
 | Field              | Value                                       |
 +--------------------+---------------------------------------------+
 | ID                 | edcf9103-e1a8-42f9-85c1-e505c055e0ed        |
 | Workflow ID        | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a        |
 | Workflow name      | tripleo.plan_management.v1.rotate_passwords |
 | Workflow namespace |                                             |
 | Description        |                                             |
 | Task Execution ID  | <none>                                      |
 | Root Execution ID  | <none>                                      |
 | State              | RUNNING                                     |
 | State info         | None                                        |
 | Created at         | 2020-01-22 15:47:57                         |
 | Updated at         | 2020-01-22 15:47:57                         |
 +--------------------+---------------------------------------------+
      Copy to Clipboard Toggle word wrap

    2. Use the workflow ID to check the workflow status. You must wait until the workflow has a state of SUCCESS before you continue: 

      $ openstack workflow execution show edcf9103-e1a8-42f9-85c1-e505c055e0ed
      +--------------------+---------------------------------------------+
      | Field              | Value                                       |
      +--------------------+---------------------------------------------+
      | ID                 | edcf9103-e1a8-42f9-85c1-e505c055e0ed        |
      | Workflow ID        | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a        |
      | Workflow name      | tripleo.plan_management.v1.rotate_passwords |
      | Workflow namespace |                                             |
      | Description        |                                             |
      | Task Execution ID  | <none>                                      |
      | Root Execution ID  | <none>                                      |
      | State              | SUCCESS                                     |
      | State info         | None                                        |
      | Created at         | 2020-01-22 15:47:57                         |
      | Updated at         | 2020-01-22 15:48:39                         |
      +--------------------+---------------------------------------------+
      Copy to Clipboard Toggle word wrap

    3. When the workflow is complete, retrieve the passwords by using the following command: 

      openstack workflow execution output show edcf9103-e1a8-42f9-85c1-e505c055e0ed
     {
          "status": "SUCCESS",
          "message": {
              "AdminPassword": "FSn0sS1aAHp8YK2fU5niM3rxu",
              "AdminToken": "dTP0Wdy7DtblG80M54r4a2yoC",
              "AodhPassword": "fB5NQdRe37BaBVEWDHVuj4etk",
              "BarbicanPassword": "rn7yk7KPafKw2PWN71MvXpnBt",
              "BarbicanSimpleCryptoKek": "lrC3sGlV7-D7-V_PI4vbDfF1Ujm5OjnAVFcnihOpbCg=",
              "CeilometerMeteringSecret": "DQ69HdlJobhnGWoBC0jM3drPF",
              "CeilometerPassword": "qI6xOpofuiXZnG95iUe8Oxv5d",
              "CephAdminKey": "AQDGVPpdAAAAABAAZMP56/VY+zCVcDT81+TOjg==",
              "CephClientKey": "AQDGVPpdAAAAABAAanYtA0ggpcoCbS1nLeDN7w==",
              "CephClusterFSID": "141a5ede-21b4-11ea-8132-52540031f76b",
              "CephDashboardAdminPassword": "AQDGVPpdAAAAABAAKhsx630YKDhQrocS4o4KzA==",
              "CephGrafanaAdminPassword": "AQDGVPpdAAAAABAAKBojG+CO72B0TdBRR0paEg==",
              "CephManilaClientKey": "AQDGVPpdAAAAABAAA1TVHrTVCC8xQ4skG4+d5A=="
          }
      }
      Copy to Clipboard Toggle word wrap

4.3. Outage requirements
링크 복사

Outage requirements and service impacts can occur when you change passwords for the overcloud service accounts.

Aftera password has been rotated as part of the stack update, the old password becomes invalid. As a result, services are unavailable with an HTTP 401 error for the duration that it takes for the new password to be added to the service configuration settings.

In addition, you can expect to encounter brief outages when you change passwords for the supporting services, including MySQL, RabbitMQ, and High Availability.

맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat