[SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is True
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Unassigned | ||
Ubuntu Cloud Archive |
New
|
Undecided
|
Unassigned | ||
Antelope |
New
|
Undecided
|
Unassigned | ||
Bobcat |
New
|
Undecided
|
Unassigned | ||
Yoga |
New
|
Undecided
|
Unassigned | ||
Zed |
Fix Released
|
Undecided
|
Unassigned | ||
horizon (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned | ||
Mantic |
New
|
Undecided
|
Unassigned |
Bug Description
After following the security hardening guidelines:
https:/
After this check is enabled
Check-Dashboard-09: Is ENFORCE_
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_
user_verify_
line 500:
endpoint = _get_endpoint_
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env
1a. Deploy openstack env with horizon/
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Regression Potential]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked.
[Other Info]
None.
[1] https:/
[2] https:/
tags: | added: keystone |
summary: |
- unable to change user password + Unable to change user password when ENFORCE_PASSWORD_CHECK is True |
Changed in horizon: | |
status: | New → In Progress |
summary: |
- Unable to change user password when ENFORCE_PASSWORD_CHECK is True + [SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is True |
description: | updated |
tags: | added: sts sts-sru-needed |
no longer affects: | ubuntu |
no longer affects: | Ubuntu Focal |
no longer affects: | Ubuntu Jammy |
no longer affects: | Ubuntu Mantic |
I am not able to reproduce the issue with the master branch. What version of horizon and keystone are you using?