SnmpdReadonlyUserPassword isn't set by the Mistral workflow
Bug #1631279 reported by
Dougal Matthews
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Dougal Matthews |
Bug Description
The Mistral workflows generate passwords if they are missing and attempt to get SnmpdReadonlyUs
We need to either provide the user with access or give it to the user a different way.
Changed in tripleo: | |
assignee: | nobody → Dougal Matthews (d0ugal) |
Changed in tripleo: | |
milestone: | none → newton-rc3 |
tags: | added: newton-backport-potential |
Changed in tripleo: | |
milestone: | newton-rc3 → ocata-1 |
Changed in tripleo: | |
status: | Confirmed → In Progress |
To post a comment you must log in.
Discussion from #tripleo
<d0ugal> dprince: Do you remember discussing getting the snmpd_readonly_ user_password from hiera? get_config_ value) .yaml or something
<d0ugal> dprince: That doesn't work, the Mistral user can't access it. Any other ideas?
<dprince> d0ugal: can we specifically store/stash it somewhere on deployment (create or update)
<d0ugal> dprince: This is the undercloud password (IIUC), so maybe instack could do that?
<dprince> d0ugal: sure, but it is also supplied to the overcloud via a Heat parameter so we should have access to it either way right?
<d0ugal> dprince: Right, but how do we get it to Heat?
<d0ugal> dprince: it's easy for the CLI to pass it to a workflow, that is what it does now
<d0ugal> dprince: but not so easy for the UI
<d0ugal> dprince: it is stored in hiera and the undercloud conf file in the stack home directory.
<dprince> d0ugal: Can't we write a custom Mistral action that essentially looks it up for us via the same python function (utils.
<dprince> d0ugal: kind of an evil thing to expose via the API so perhaps guard it to just the passwords we need
<d0ugal> dprince: Mistral is running as the wrong user, so it wont have the permissions
<dprince> d0ugal: so, then I think this is a 2 part fix. Update the instack installer to provide access to this for the Mistral user
<d0ugal> dprince: okay, how would you provide access?
<dprince> d0ugal: we can have multiple hiera files.... they don't all have to have extra permissions I think
<dprince> d0ugal: just read perms would be required, perhaps we create a simple unix group that can read this extra file
<dprince> d0ugal: share_passwords
<dprince> d0ugal: shared_passwords?
<d0ugal> dprince: okay, that sounds good, I'll start digging.
<dprince> d0ugal: I don't have a strong oppinion on the name yet
<dprince> d0ugal: thanks for chasing this. The last few params are always the funnest