From d146558ac3f4474b8db4edc2da38da42ac23f4ba Mon Sep 17 00:00:00 2001 From: Jay Faulkner Date: Wed, 3 Jul 2024 15:54:04 -0700 Subject: [PATCH] Require hashed passwords for rescue by default We added this option, and advertised it's default would change several years ago. This completes the migration. Change-Id: I64f80fa2f971a223156cc5bf4231b59da0189885 --- ironic/conf/conductor.py | 3 +-- .../require-hashed-rescue-password-6f7c0424e12c1aeb.yaml | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml diff --git a/ironic/conf/conductor.py b/ironic/conf/conductor.py index 01f385ba6f..31b16ae003 100644 --- a/ironic/conf/conductor.py +++ b/ironic/conf/conductor.py @@ -256,8 +256,7 @@ opts = [ help=_('Password hash algorithm to be used for the rescue ' 'password.')), cfg.BoolOpt('require_rescue_password_hashed', - # TODO(TheJulia): Change this to True in Victoria. - default=False, + default=True, mutable=True, help=_('Option to cause the conductor to not fallback to ' 'an un-hashed version of the rescue password, ' diff --git a/releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml b/releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml new file mode 100644 index 0000000000..e34eb6f34f --- /dev/null +++ b/releasenotes/notes/require-hashed-rescue-password-6f7c0424e12c1aeb.yaml @@ -0,0 +1,5 @@ +upgrade: + - | + Ironic now requires rescue passwords to be hashed. Operators who would like + to continue using unhashed passwords must set + `[conductor]/require_rescue_password_hashed` to ``false``.