OpenStack Keystone Charm

identity-admin returns random pwgen string as service_password to any related units if admin-password is not set in charm config

Bug #1794893 reported by Drew Freiberger on 2018-09-27

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Keystone Charm	Fix Released	Undecided	Wouter van Bommel	OpenStack Keystone Charm 18.08

Bug Description

This bug is similar to, but different from https://bugs.launchpad.net/charm-keystone/+bug/1525380.

When relating to the identity-admin interface, a random password (not the actual admin password) is provided to the related unit if admin-password is not set in the charm configuration.

If you follow the code from the relation-changed where it generates the admin credentials by calling get_admin_passwd() with no args:
https://github.com/openstack/charm-keystone/blob/master/hooks/keystone_hooks.py#L640
To where the code would line up and fail to query the admin_password in the leader_settings at:
https://github.com/openstack/charm-keystone/blob/master/hooks/keystone_utils.py#L1180
You can see that it would then go on to generate a new random password, but it wouldn't be associated to any actual account in the DB.

A fix would be to insert logic into keystone_utils to check if user is None, set user to config("admin-user") before running line 1180.

I'm also concerned about a future race condition between the leadership setting of this admin_password during clustering of Keystone and the relating of a identity-admin unit to the charm which would result in the same random unusable string being sent to the identity-admin relation. Possibly solve by triggering identity-admin relation-changed settings when setting/updating admin password.

Tags:

Wouter van Bommel (woutervb) on 2018-09-28

Changed in charm-keystone:
assignee:	nobody → Wouter van Bommel (woutervb)
status:	New → Confirmed
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-28: Fix proposed to charm-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/606043

Wouter van Bommel (woutervb) on 2018-09-28

Changed in charm-keystone:
status:	In Progress → Fix Committed

Revision history for this message

Chris Sanders (chris.sanders) wrote on 2018-10-01:

Subscribed field-medium

Ryan Beisner (1chb1n) on 2018-10-01

Changed in charm-keystone:
status:	Fix Committed → In Progress
milestone:	none → 18.11

Felipe Reyes (freyes) on 2018-10-03

tags:

added: backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-03: Fix merged to charm-keystone (master)

Reviewed: https://review.openstack.org/606043
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=78f2e5e049dd9dbebd06197683aeb2e4238f4de2
Submitter: Zuul
Branch: master

commit 78f2e5e049dd9dbebd06197683aeb2e4238f4de2
Author: Wouter van Bommel <email address hidden>
Date: Fri Sep 28 13:45:10 2018 +0200

Assign username from config if none is given

When hooks/keystone_utils.py:get_admin_passwd is called without the user
parameter, the parameter should default to config('admin-user')

Also changed the log, to use the parameter for consistency with facts.

Don't assume 'admin' is always the username for admin, when setting the
admin password.

    Added unittests to check the various options, either specifying the
    username via function arguments, or use setting from
    config('admin-user').

Change-Id: I02726c07ee4ed1e78ea1bfaa93adc2564a1a8236
Closes-Bug: 1794893

Changed in charm-keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-04: Fix proposed to charm-keystone (stable/18.08)

Fix proposed to branch: stable/18.08
Review: https://review.openstack.org/608071

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-08: Fix merged to charm-keystone (stable/18.08)

Reviewed: https://review.openstack.org/608071
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=fc8439fe49a579c826b87df3dc9f62de87a73e3d
Submitter: Zuul
Branch: stable/18.08

commit fc8439fe49a579c826b87df3dc9f62de87a73e3d
Author: Wouter van Bommel <email address hidden>
Date: Fri Sep 28 13:45:10 2018 +0200

Assign username from config if none is given

When hooks/keystone_utils.py:get_admin_passwd is called without the user
parameter, the parameter should default to config('admin-user')

Also changed the log, to use the parameter for consistency with facts.

Don't assume 'admin' is always the username for admin, when setting the
admin password.

    Added unittests to check the various options, either specifying the
    username via function arguments, or use setting from
    config('admin-user').

    Change-Id: I02726c07ee4ed1e78ea1bfaa93adc2564a1a8236
    Closes-Bug: 1794893
    (cherry picked from commit 78f2e5e049dd9dbebd06197683aeb2e4238f4de2)

James Page (james-page) on 2018-10-08

Changed in charm-keystone:
status:	Fix Committed → Fix Released

James Page (james-page) on 2018-10-09

Changed in charm-keystone:
milestone:	18.11 → 18.08

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.