OpenStack Identity (keystone)

disable_user_account_days_inactive option locks out all users

Bug #2074018 reported by Douglas Mendizábal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Status tracked in 2024.2
2023.1
New
Medium
Douglas Mendizábal
2023.2
New
Medium
Douglas Mendizábal
2024.1
New
Medium
Douglas Mendizábal
2024.2
Fix Released
Medium
Douglas Mendizábal
OpenStack Identity (keystone) dalmatian-3
Wallaby
New
Medium
Douglas Mendizábal

Bug Description

Enabling the option `[security_compliance] disable_user_account_days_inactive = X` disables all user accounts in deployments that have been running for longer than X.

The root cause seems to be the way that the values of the `last_active_at` column in the `user` table are set. When the option is disabled, the `last_active_at` column is never updated, so it is null for all users.

If you later decide to turn on this option for compliance reasons, the current logic in Keystone will use the value of `created_at` as the last time the user was active. For any deployment where the users were created more than the value of `disable_user_account_days_inactive` will result in all users being disabled including the admin user regardless of when the user last logged in.

Douglas Mendizábal (dougmendizabal)
Changed in keystone:
assignee: nobody → Douglas Mendizábal (dougmendizabal)
status: New → In Progress
importance: Undecided → Medium
Douglas Mendizábal (dougmendizabal)
Changed in keystone:
milestone: none → dalmatian-3
Revision history for this message
Douglas Mendizábal (dougmendizabal) wrote :

Patch is ready for reviews: https://review.opendev.org/c/openstack/keystone/+/924892

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/924892
Committed: https://opendev.org/openstack/keystone/commit/e9513f8e4f25e1f20bc6fcab71d9177120000abf
Submitter: "Zuul (22348)"
Branch: master

commit e9513f8e4f25e1f20bc6fcab71d9177120000abf
Author: Douglas Mendizábal <email address hidden>
Date: Fri Jul 19 17:10:11 2024 -0400

    Add keystone-manage reset_last_active command

    This patch adds the `reset_last_active` subcommand to the
    `keystone-manage` command line tool.

    This subcommand will update every user in the database that has a null
    value in the `last_active_at` property to the current server time. This
    is necessary to prevent user lockout in deployments that have been
    running for a long time without `disable_user_account_days_inactive` and
    later decide to turn it on.

    This patch also includes a change to the logic that sets
    `last_active_at` to fix the root issue of the lockout.

    Closes-Bug: 2074018
    Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/keystone/+/925920

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.