OpenStack Identity (keystone)

There is no way to only check once for user password history

Bug #1787874 reported by wangxiyuan on 2018-08-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	wangxiyuan	OpenStack Identity (keystone) stein-1

Bug Description

The config option "unique_last_password_count" can limit users password history. But the value is 2 at least. (1 means no limit). It means that the user need to change password at least twice. The case "pw1 -> pw2 -> pw1" is not covered.

We should make "unique_last_password_count"'s minimum to 0. Set to 1 means users can't change password like pw1 -> pw1, but can do "pw1 -> pw2 -> pw1".

See original description

Tags:

wangxiyuan (wangxiyuan) on 2018-08-20

Changed in keystone:
assignee:	nobody → wangxiyuan (wangxiyuan)
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/593476

OpenStack Infra (hudson-openstack) on 2018-08-20

Changed in keystone:
status:	New → In Progress

wangxiyuan (wangxiyuan) on 2018-08-21

description:	updated
summary:	- There is no way to forbid users changing password to itself + There is no way to only check once for user password history

Lance Bragstad (lbragstad) on 2018-08-22

Changed in keystone:
importance:	Undecided → Medium
tags:	added: pci

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-25: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/593476
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=34609d557e68020c6a054282c4d206aaa26a0d67
Submitter: Zuul
Branch: master

commit 34609d557e68020c6a054282c4d206aaa26a0d67
Author: wangxiyuan <email address hidden>
Date: Mon Aug 20 11:02:52 2018 +0800

Change unique_last_password_count default to 0

    Changing the default value of unique_last_password_count from
    1 to 0, so that it can handle a case(when set to 1) that the
    password history check only check one previous password.

Change-Id: Id368c99ca4926c995ea47959a6c3a438fffe1823
Closes-Bug: #1787874

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2018-08-29

Changed in keystone:
milestone:	none → stein-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.