[openstack-dev] [TripleO][Tuskar] Dealing with passwords in Tuskar-API

Imre Farkas ifarkas at redhat.com
Thu Feb 20 09:43:16 UTC 2014


On 02/20/2014 10:12 AM, Radomir Dopieralski wrote:
> On 19/02/14 18:29, Dougal Matthews wrote:
>> The question for me, is what passwords will we have and when do we need
>> them? Are any of the passwords required long term.
>
> We will need whatever the Heat template needs to generate all the
> configuration files. That includes passwords for all services that are
> going to be configured, such as, for example, Swift or MySQL.
>
> I'm not sure about the exact mechanisms in Heat, but I would guess that
> we will need all the parameters, including passwords, when the templates
> are re-generated. We could probably generate new passwords every time,
> though.

That is an excellent point. Tuskar will need the passwords every time it 
needs to regenerate the Heat template (basically when running 
stack-update).

I don't think, changing the password every time would work. If eg. the 
MySQL password is changed, then os-refresh-config will fail during the 
db migration scripts because it no longer can access the existing db 
with the new password.

Imre



More information about the OpenStack-dev mailing list