Unable to change user password when ENFORCE_PASSWORD_CHECK is True

Bug #1728031 reported by lahari on 2017-10-27
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Unassigned

Bug Description

After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.

The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL

Sudheer Kalla (sudheer-kalla) wrote :
Changed in horizon:
status: New → Confirmed
status: Confirmed → New
tags: added: keystone
summary: - unable to change user password
+ Unable to change user password when ENFORCE_PASSWORD_CHECK is True
Ying Zuo (yingzuo) wrote :

I am not able to reproduce the issue with the master branch. What version of horizon and keystone are you using?

lahari (ananda-bhavaraju) wrote :

Hello Ying,

I'm using openstack pike and keystone V2

This happens only when I enable ENFORCE_PASSWORD_CHECK to True in local_settings.py

Change ENFORCE_PASSWORD_CHECK to True and restart apache2 service

Then when trying to change a user's password, I get an error saying Admin password is wrong.

Sudheer has attached the image. Thank you sudheer

The reason is IMO that api is trying to communicate via internalURL, which should be changed to adminURL.

Ying Zuo (yingzuo) wrote :

I enabled the ENFORCE_PASSWORD_CHECK and was able to change a user's password with the admin password successfully. I use keystone v3 though.

Sudheer Kalla (sudheer-kalla) wrote :

Hello Ying,

Iam able to reproduce the same issue using openstack pike with keystone V3.

Also i think it is not good to communicate via internalURL as the current implementation uses. I think it is better change the endpoint or else it will cause problems in future

Ying Zuo (yingzuo) wrote :

Hello Sudheer,

I tried with stable/pike branch and keystone v3 this time, and still can not reproduce this issue. Can you double check if the admin password you used is correct?

Sudheer Kalla (sudheer-kalla) wrote :

Hello Ying,

I have just tried it again with same mentioned configuration and iam able to reproduce it, Please find the attached screen shot just taken

Also in debugging session i have observed the following

(Pdb) api.keystone.user_verify_admin_password(request, admin_password)
False

The above api call is failing as a result the issue mentioned in this bug is coming.

Akihiro Motoki (amotoki) wrote :

I can reproduce the issue. I ran the latest horizon master branch f911d0dd406f60fa9df5891ff5760f2251fc96b0 by using runserver tox env (tox -e runserver). After adding ENFORCE_PASSWORD_CHECK = True to local_settings.py, I see the message "The admin password is incorrect.".

Note that I confirmed my admin password is correct by copying the password I typed in the "Change Password" form and then re-login horizon by using the copied password. I believe my admin password is the expected one.

Akihiro Motoki (amotoki) wrote :

After adding an error log message to 'except' clause of user_verify_admin_password in openstack_dashboard.api.keystone, I got the following error message.

  ERROR openstack_dashboard.api.keystone user_verify_admin_password exception: Invalid service catalog service: identity (ServiceCatalogException)

The exception class is ServiceCatalogException and the message is "Invalid service catalog service: identity"

Interestingly enough, the error message is different from the bug description....

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers