diff options
| author |   Marco Platania <platania@research.att.com> | 2018-09-05 14:26:34 -0400 |
|---|---|---|
| committer | Marco Platania <platania@research.att.com> | 2018-09-05 14:26:34 -0400 |
| commit | 8c1c99dfc4a42ff8e438a13858c95340a0f677c7 (patch) | |
| tree | ca41ad656c7c8383faeeb58edd2617a45dc096d8 | |
| parent | 2871669ad9a0db36280fd1bcb7ff9d12066d1369 (diff) | |
Remove plain OpenStack pwd from Heat
- Replace plain OpenStack password with its encrypted version
- Update SO install/init script to skip key encryption (will be done by user)
- Provide a script that encrypts the plain OpenStack password
Change-Id: Ifb7010ab8720ca92119c65484d05f5cfacf023cb
Issue-ID: INT-646
Signed-off-by: Marco Platania <platania@research.att.com>
| -rw-r--r-- | heat/ONAP/cloud-config/so_install.sh | 6 | ||||
| -rw-r--r-- | heat/ONAP/cloud-config/so_vm_init.sh | 3 | ||||
| -rw-r--r-- | heat/ONAP/onap_openstack.env | 4 | ||||
| -rw-r--r-- | heat/ONAP/onap_openstack.yaml | 8 | ||||
| -rw-r--r-- | heat/ONAP/onap_openstack_template.env | 4 | ||||
| -rwxr-xr-x | heat/ONAP/openstack_encrypted_key.sh | 17 |
6 files changed, 26 insertions, 16 deletions
diff --git a/heat/ONAP/cloud-config/so_install.sh b/heat/ONAP/cloud-config/so_install.sh index 3a8f3fc2..36c7c8cb 100644 --- a/heat/ONAP/cloud-config/so_install.sh +++ b/heat/ONAP/cloud-config/so_install.sh @@ -1,7 +1,7 @@ #!/bin/bash # Read configuration files -OPENSTACK_API_KEY=$(cat /opt/config/openstack_api_key.txt) +#OPENSTACK_API_KEY=$(cat /opt/config/openstack_api_key.txt) GERRIT_BRANCH=$(cat /opt/config/gerrit_branch.txt) CODE_REPO=$(cat /opt/config/remote_repo.txt) HTTP_PROXY=$(cat /opt/config/http_proxy.txt) @@ -16,7 +16,7 @@ fi # Clone Gerrit repository and run docker containers. cd /opt git clone -b $GERRIT_BRANCH --single-branch $CODE_REPO test_lab -SO_ENCRYPTION_KEY=$(cat /opt/test_lab/encryption.key) -echo -n "$OPENSTACK_API_KEY" | openssl aes-128-ecb -e -K $SO_ENCRYPTION_KEY -nosalt | xxd -c 256 -p > /opt/config/api_key.txt +#SO_ENCRYPTION_KEY=$(cat /opt/test_lab/encryption.key) +#echo -n "$OPENSTACK_API_KEY" | openssl aes-128-ecb -e -K $SO_ENCRYPTION_KEY -nosalt | xxd -c 256 -p > /opt/config/api_key.txt ./so_vm_init.sh diff --git a/heat/ONAP/cloud-config/so_vm_init.sh b/heat/ONAP/cloud-config/so_vm_init.sh index fb19d1a3..1acf2eb0 100644 --- a/heat/ONAP/cloud-config/so_vm_init.sh +++ b/heat/ONAP/cloud-config/so_vm_init.sh @@ -5,7 +5,8 @@ NEXUS_PASSWD=$(cat /opt/config/nexus_password.txt) NEXUS_DOCKER_REPO=$(cat /opt/config/nexus_docker_repo.txt) DMAAP_TOPIC=$(cat /opt/config/dmaap_topic.txt) OPENSTACK_USERNAME=$(cat /opt/config/openstack_username.txt) -OPENSTACK_APIKEY=$(cat /opt/config/api_key.txt) +#OPENSTACK_APIKEY=$(cat /opt/config/api_key.txt) +OPENSTACK_APIKEY=$(cat /opt/config/openstack_api_key.txt) export MSO_DOCKER_IMAGE_VERSION=$(cat /opt/config/docker_version.txt) export MTU=$(/sbin/ifconfig | grep MTU | sed 's/.*MTU://' | sed 's/ .*//' | sort -n | head -1) diff --git a/heat/ONAP/onap_openstack.env b/heat/ONAP/onap_openstack.env index b9fc2e6c..c373317d 100644 --- a/heat/ONAP/onap_openstack.env +++ b/heat/ONAP/onap_openstack.env @@ -44,9 +44,7 @@ parameters: openstack_username: PUT YOUR OPENSTACK USERNAME HERE - openstack_api_key: PUT YOUR OPENSTACK PASSWORD HERE - - openstack_auth_method: password + openstack_api_key: PUT YOUR ENCRYPTED OPENSTACK PASSWORD HERE openstack_region: RegionOne diff --git a/heat/ONAP/onap_openstack.yaml b/heat/ONAP/onap_openstack.yaml index 65fe4fdc..d836b78e 100644 --- a/heat/ONAP/onap_openstack.yaml +++ b/heat/ONAP/onap_openstack.yaml @@ -3,7 +3,7 @@ #==================LICENSE_START========================================== # # -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -121,13 +121,9 @@ parameters: type: string description: OpenStack username - openstack_auth_method: - type: string - description: OpenStack authentication method (password VS. api-key) - openstack_api_key: type: string - description: OpenStack password or API Key + description: Encrypted OpenStack password keystone_url: type: string diff --git a/heat/ONAP/onap_openstack_template.env b/heat/ONAP/onap_openstack_template.env index af560124..13ed5071 100644 --- a/heat/ONAP/onap_openstack_template.env +++ b/heat/ONAP/onap_openstack_template.env @@ -44,9 +44,7 @@ parameters: openstack_username: PUT YOUR OPENSTACK USERNAME HERE - openstack_api_key: PUT YOUR OPENSTACK PASSWORD HERE - - openstack_auth_method: password + openstack_api_key: PUT YOUR ENCRYPTED OPENSTACK PASSWORD HERE openstack_region: RegionOne diff --git a/heat/ONAP/openstack_encrypted_key.sh b/heat/ONAP/openstack_encrypted_key.sh new file mode 100755 index 00000000..20910fa3 --- /dev/null +++ b/heat/ONAP/openstack_encrypted_key.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +usage () { + echo "Usage:" + echo " ./$(basename $0) your_openstack_password" + exit 1 +} + +if [ "$#" -ne 1 ]; then + echo "Wrong number of input parameters" + usage +fi + +SO_ENCRYPTION_KEY=aa3871669d893c7fb8abbcda31b88b4f +OPENSTACK_API_KEY=$1 + +echo -n "$OPENSTACK_API_KEY" | openssl aes-128-ecb -e -K $SO_ENCRYPTION_KEY -nosalt | xxd -c 256 -p |