identity-admin returns random pwgen string as service_password to any related units if admin-password is not set in charm config
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Fix Released
|
Undecided
|
Wouter van Bommel |
Bug Description
This bug is similar to, but different from https:/
When relating to the identity-admin interface, a random password (not the actual admin password) is provided to the related unit if admin-password is not set in the charm configuration.
If you follow the code from the relation-changed where it generates the admin credentials by calling get_admin_passwd() with no args:
https:/
To where the code would line up and fail to query the admin_password in the leader_settings at:
https:/
You can see that it would then go on to generate a new random password, but it wouldn't be associated to any actual account in the DB.
A fix would be to insert logic into keystone_utils to check if user is None, set user to config(
I'm also concerned about a future race condition between the leadership setting of this admin_password during clustering of Keystone and the relating of a identity-admin unit to the charm which would result in the same random unusable string being sent to the identity-admin relation. Possibly solve by triggering identity-admin relation-changed settings when setting/updating admin password.
Changed in charm-keystone: | |
assignee: | nobody → Wouter van Bommel (woutervb) |
status: | New → Confirmed |
status: | Confirmed → In Progress |
Changed in charm-keystone: | |
status: | In Progress → Fix Committed |
Changed in charm-keystone: | |
status: | Fix Committed → In Progress |
milestone: | none → 18.11 |
tags: | added: backport-potential |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
Changed in charm-keystone: | |
milestone: | 18.11 → 18.08 |
Fix proposed to branch: master /review. openstack. org/606043
Review: https:/