Use fernet for barbican crypto key

Sha password is not always valid for barbican cripto key. Use a fernet key so it always gets valid. Not need release note for upgrade, users with a working barbican not regenerate passwords, only new passwords will get new type. Change-Id: Ic8c4ca63219295d697062cff9cbf30fadbe49bf3
openstack · Jul 26, 2018 · b80a63f · b80a63f
1 parent cd03876
commit b80a63f
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py
@@ -19,11 +19,11 @@
 import string
 import sys
 
+from cryptography import fernet
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import serialization
 from hashlib import md5
-from hashlib import sha256
 from oslo_utils import uuidutils
 import yaml
 
@@ -85,8 +85,8 @@ def main():
     hmac_md5_keys = ['designate_rndc_key',
                      'osprofiler_secret']
 
-    # HMAC-SHA256 keys
-    hmac_sha256_keys = ['barbican_crypto_key']
+    # Fernet keys
+    fernet_keys = ['barbican_crypto_key']
 
     # length of password
     length = 40
@@ -114,10 +114,8 @@ def main():
                 passwords[k] = (hmac.new(
                     uuidutils.generate_uuid().encode(), ''.encode(), md5)
                     .hexdigest())
-            elif k in hmac_sha256_keys:
-                passwords[k] = (hmac.new(
-                    uuidutils.generate_uuid().encode(), ''.encode(), sha256)
-                    .hexdigest())
+            elif k in fernet_keys:
+                passwords[k] = fernet.Fernet.generate_key()
             else:
                 passwords[k] = ''.join([
                     random.SystemRandom().choice(