From a1f3dfe6a9e7057197dd05d51a2b57ac06f0adfc Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Wed, 2 Nov 2016 10:42:57 -0400 Subject: [PATCH] Force domain_password parameter to be defined Having a default value for a password is not acceptable for security purpose. We should unset the default value so we make sure catalog fail if no value is set. It enforces our users to set a value and stop opening a security problem. Change-Id: I41b974f6ece39743bfc2ad922b2f0dad20aec469 --- manifests/keystone/domain.pp | 4 ++-- releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml diff --git a/manifests/keystone/domain.pp b/manifests/keystone/domain.pp index b0c44d10..c8232e04 100644 --- a/manifests/keystone/domain.pp +++ b/manifests/keystone/domain.pp @@ -14,7 +14,7 @@ # Keystone domain admin user email address. Defaults to 'heat_admin@localhost'. # # [*domain_password*] -# Keystone domain admin user password. Defaults to 'changeme'. +# (Required) Keystone domain admin user password. # # [*manage_domain*] # Whether manage or not the domain creation. @@ -31,10 +31,10 @@ # Defaults to 'true'. # class heat::keystone::domain ( + $domain_password, $domain_name = 'heat', $domain_admin = 'heat_admin', $domain_admin_email = 'heat_admin@localhost', - $domain_password = 'changeme', $manage_domain = true, $manage_user = true, $manage_role = true, diff --git a/releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml b/releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml new file mode 100644 index 00000000..32daeccc --- /dev/null +++ b/releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml @@ -0,0 +1,5 @@ +--- +security: + - domain_password in heat::keystone::domain is now required and no default + value is provided. It will make sure our users set the value so deployments + are more secure.