keystone-manage bootstrap cannot recover admin account
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Dolph Mathews | ||
Mitaka |
Fix Released
|
Medium
|
Dolph Mathews |
Bug Description
The keystone-manage bootstrap command is intended to supersede the admin_token middleware. However, one of the common use cases for the admin_token middleware was to provide a recovery mechanism for cloud operators that had accidentally disabled themselves or lost their password.
However, even after attempting to "re-bootstrap" an existing admin with a known password (effectively performing a password reset), the admin is still not able to authenticate. The same is true if the admin was disabled.
This was originally reported in #openstack-ansible by odyssey4me:
[Fri 09:29] <odyssey4me> dolphm lbragstad is keystone-manage bootstrap meant to skip the bootstrap if there are already settings in place? what is the right way to fix up creds that are lost somehow for the keystone admin?
[Fri 09:30] <dolphm> odyssey4me: bootstrap should be idempotent, but i don't think it'll change an admin's password if you specify something different
[Fri 09:31] <odyssey4me> dolphm so the options are, I guess, to delete the admin account in the db or to use the auth_token middleware?
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → newton-2 |
https:/ /review. openstack. org/#/c/ 325352/