6.2. 轮转密码

使用以下步骤轮转有资格的密码。下次通过运行 openstack overcloud deploy 命令完成堆栈更新时,会应用轮转的密码更改。在环境文件中指定的任何密码优先于使用此方法的密码更改。有关中断要求和服务影响的详情,请参考中断要求。

重要

不要使用此流程来轮转 swift 密码,因为目前不支持。

  1. 以 stack 用户身份,运行密码轮转工作流。这会轮转所有密码,但 DO_NOT_ROTATE 列表中除外:

    $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud"}'

    如果您只想轮转特定的密码,您可以使用 password_list。您还可以使用此方法轮转 DO_NOT_ROTATE 列表中的密码。例如:

    $ openstack workflow execution create tripleo.plan_management.v1.rotate_passwords '{"container": "overcloud", "password_list": ["SaharaPassword", "ManilaPassword"]}'
    The Workflow service Mistral workflow generates new passwords for the service accounts.
  2. 运行堆栈更新以应用新密码。
  3. 您可以通过创建工作流来检索密码,然后查看输出来检索和查看新密码:

    1. 创建新工作流以检索密码。请注意工作流的 ID:

      $ openstack workflow execution create tripleo.plan_management.v1.get_passwords '{"container": "overcloud"}'
       +--------------------+---------------------------------------------+
       | Field              | Value                                       |
       +--------------------+---------------------------------------------+
       | ID                 | edcf9103-e1a8-42f9-85c1-e505c055e0ed        |
       | Workflow ID        | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a        |
       | Workflow name      | tripleo.plan_management.v1.rotate_passwords |
       | Workflow namespace |                                             |
       | Description        |                                             |
       | Task Execution ID  | <none>                                      |
       | Root Execution ID  | <none>                                      |
       | State              | RUNNING                                     |
       | State info         | None                                        |
       | Created at         | 2020-01-22 15:47:57                         |
       | Updated at         | 2020-01-22 15:47:57                         |
       +--------------------+---------------------------------------------+
    2. 使用工作流 ID 检查工作流状态。在继续操作前,您必须等到工作流的状态为 SUCCESS

      $ openstack workflow execution show edcf9103-e1a8-42f9-85c1-e505c055e0ed
            +--------------------+---------------------------------------------+
            | Field              | Value                                       |
            +--------------------+---------------------------------------------+
            | ID                 | edcf9103-e1a8-42f9-85c1-e505c055e0ed        |
            | Workflow ID        | 8aa2ac9b-22ee-4e7d-8240-877237ef0d0a        |
            | Workflow name      | tripleo.plan_management.v1.rotate_passwords |
            | Workflow namespace |                                             |
            | Description        |                                             |
            | Task Execution ID  | <none>                                      |
            | Root Execution ID  | <none>                                      |
            | State              | SUCCESS                                     |
            | State info         | None                                        |
            | Created at         | 2020-01-22 15:47:57                         |
            | Updated at         | 2020-01-22 15:48:39                         |
            +--------------------+---------------------------------------------+
    3. 工作流完成后,使用以下命令检索密码:

      openstack workflow execution output show edcf9103-e1a8-42f9-85c1-e505c055e0ed
           {
                "status": "SUCCESS",
                "message": {
                    "AdminPassword": "FSn0sS1aAHp8YK2fU5niM3rxu",
                    "AdminToken": "dTP0Wdy7DtblG80M54r4a2yoC",
                    "AodhPassword": "fB5NQdRe37BaBVEWDHVuj4etk",
                    "BarbicanPassword": "rn7yk7KPafKw2PWN71MvXpnBt",
                    "BarbicanSimpleCryptoKek": "lrC3sGlV7-D7-V_PI4vbDfF1Ujm5OjnAVFcnihOpbCg=",
                    "CeilometerMeteringSecret": "DQ69HdlJobhnGWoBC0jM3drPF",
                    "CeilometerPassword": "qI6xOpofuiXZnG95iUe8Oxv5d",
                    "CephAdminKey": "AQDGVPpdAAAAABAAZMP56/VY+zCVcDT81+TOjg==",
                    "CephClientKey": "AQDGVPpdAAAAABAAanYtA0ggpcoCbS1nLeDN7w==",
                    "CephClusterFSID": "141a5ede-21b4-11ea-8132-52540031f76b",
                    "CephDashboardAdminPassword": "AQDGVPpdAAAAABAAKhsx630YKDhQrocS4o4KzA==",
                    "CephGrafanaAdminPassword": "AQDGVPpdAAAAABAAKBojG+CO72B0TdBRR0paEg==",
                    "CephManilaClientKey": "AQDGVPpdAAAAABAAA1TVHrTVCC8xQ4skG4+d5A=="
                }
            }