Rotation of credentials in OpenStack¶
MOSK generates all credentials used internally, including two types of credentials generated during the OpenStack deployment:
Credentials for admin users provide unlimited access and enable the initial configuration of cloud entities. Three sets of such credentials are generated for accessing the following services:
OpenStack database
OpenStack APIs (OpenStack admin identity account)
OpenStack messaging
Credentials for OpenStack service users are generated for each deployed OpenStack service. To operate successfully, OpenStack services require three sets of credentials for accessing the following services:
OpenStack database
OpenStack APIs (OpenStack service identity account)
OpenStack messaging
To enhance the information security level, Mirantis recommends changing the passwords of internally used credentials periodically. We suggest changing the credentials every month. MOSK includes an automated routine for changing credentials, which must be triggered manually.
Restarting OpenStack services is necessary to apply new credentials. Therefore, it is crucial to have a smooth transition period to minimize the downtime for the OpenStack control plane. To achieve this, perform the credential rotation as described in Rotate OpenStack credentials.