CL210 Training-Resetting Admin Password

In CL210 training, nothing is more frustrating for a OpenStack Administrator than not being able to log in to your cluster to see what is going on. OpenStack offers an authentication override to bypass authentication and allow you to make Keystone calls to see services, endpoints, and other Keystone resources.

Lets learn resetting openstack administrator password, in these kinds of situations.

We can do resetting openstack administrator password using the Keystone admin service token. We know the importance of keystonerc file. To use this service token to override authentication, you need to use a similar methodology.

Step #1 – Start by getting the current service token value from the keystone.conf file:

# grep admin_token /etc/keystone/keystone.conf

openstack reset admin password


Step #2 – The value that keystone’s admin_token is set to can be passed with a service endpoint URL to Keystone and authentication will be overridden. Get the OS_AUTH_URL environment variable from the keystonerc_admin file you created.

reset openstack admin password


Step #3 – Now create a new file with the following content.

export OS_SERVICE_TOKEN={value of keystone.conf admin_token }

It is important to note here that OS_SERVICE_ENDPOINT points to your Keystone administrative endpoint on port 35357 and not the public or internal endpoint on port 5000. Port 5000 is for authenticated traffic, and port 35357 is for non-public administrative traffic, such as service token calls to override authentication. It is not recommended that port 35357 be publicly accessible.

openstack reset admin password


Step #4 – Next, source this file so that the environment includes these variables:

# source keystonerc_service_token

The first thing you want to do here is reset the admin user’s password and then stop using these service tokens. It is very bad practice to operate on Keystone using the service token. So, first, update the admin user’s password. Then, unset the service token environment variables.

# keystone user-password-update admin

Make sure you unset both SERVICE environment variables.

cl210 training reset openstack admin password


Once you have unset the service token environment variables, make sure that you update the password in your keystonerc_admin file and re-source it. If you do not source it, then the new password will not be used.