2017-10-27 12:04:04 |
lahari |
bug |
|
|
added bug |
2017-10-27 12:07:17 |
Sudheer Kalla |
attachment added |
|
testing.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/4997850/+files/testing.png |
|
2017-10-27 12:07:31 |
Sudheer Kalla |
horizon: status |
New |
Confirmed |
|
2017-10-27 12:07:41 |
Sudheer Kalla |
horizon: status |
Confirmed |
New |
|
2017-10-27 20:06:37 |
Gary W. Smith |
tags |
|
keystone |
|
2017-10-27 20:08:05 |
Gary W. Smith |
summary |
unable to change user password |
Unable to change user password when ENFORCE_PASSWORD_CHECK is True |
|
2017-10-30 05:54:48 |
Sudheer Kalla |
bug |
|
|
added subscriber Sudheer Kalla |
2017-10-31 05:50:41 |
Sudheer Kalla |
attachment added |
|
Bug.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5000722/+files/Bug.png |
|
2022-08-23 07:11:38 |
OpenStack Infra |
horizon: status |
New |
In Progress |
|
2024-03-07 07:44:40 |
Andres Mariano Zwaal |
bug |
|
|
added subscriber Andres Mariano Zwaal |
2024-03-20 15:22:25 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Released |
|
2024-03-28 19:25:54 |
OpenStack Infra |
tags |
keystone |
in-stable-zed keystone |
|
2024-04-01 16:21:17 |
Rodrigo Barbieri |
summary |
Unable to change user password when ENFORCE_PASSWORD_CHECK is True |
[SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is True |
|
2024-04-01 18:18:05 |
Rodrigo Barbieri |
description |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Regression Potential]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
|
2024-04-01 18:18:23 |
Rodrigo Barbieri |
tags |
in-stable-zed keystone |
in-stable-zed keystone sts sts-sru-needed |
|
2024-04-01 19:18:59 |
Rodrigo Barbieri |
attachment added |
|
lp1728031_mantic.debdiff https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5761110/+files/lp1728031_mantic.debdiff |
|
2024-04-01 19:19:18 |
Rodrigo Barbieri |
attachment added |
|
lp1728031_lunar.debdiff https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5761111/+files/lp1728031_lunar.debdiff |
|
2024-04-01 19:25:58 |
Rodrigo Barbieri |
attachment added |
|
lp1728031_zed.debdiff https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5761112/+files/lp1728031_zed.debdiff |
|
2024-04-01 19:27:46 |
Rodrigo Barbieri |
attachment added |
|
lp1728031_jammy.debdiff https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5761113/+files/lp1728031_jammy.debdiff |
|
2024-04-10 10:17:49 |
Rodrigo Barbieri |
bug task added |
|
ubuntu |
|
2024-04-10 10:18:14 |
Rodrigo Barbieri |
nominated for series |
|
Ubuntu Mantic |
|
2024-04-10 10:18:14 |
Rodrigo Barbieri |
bug task added |
|
Ubuntu Mantic |
|
2024-04-10 10:18:14 |
Rodrigo Barbieri |
nominated for series |
|
Ubuntu Focal |
|
2024-04-10 10:18:14 |
Rodrigo Barbieri |
bug task added |
|
Ubuntu Focal |
|
2024-04-10 10:18:14 |
Rodrigo Barbieri |
nominated for series |
|
Ubuntu Jammy |
|
2024-04-10 10:18:14 |
Rodrigo Barbieri |
bug task added |
|
Ubuntu Jammy |
|
2024-04-10 10:19:55 |
Rodrigo Barbieri |
bug task added |
|
cloud-archive |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
nominated for series |
|
cloud-archive/antelope |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
bug task added |
|
cloud-archive/antelope |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
nominated for series |
|
cloud-archive/yoga |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
bug task added |
|
cloud-archive/yoga |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
nominated for series |
|
cloud-archive/bobcat |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
bug task added |
|
cloud-archive/bobcat |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
nominated for series |
|
cloud-archive/zed |
|
2024-04-10 10:20:20 |
Rodrigo Barbieri |
bug task added |
|
cloud-archive/zed |
|
2024-04-10 10:23:01 |
Rodrigo Barbieri |
bug task deleted |
ubuntu |
|
|
2024-04-10 10:23:10 |
Rodrigo Barbieri |
bug task deleted |
Ubuntu Focal |
|
|
2024-04-10 10:23:15 |
Rodrigo Barbieri |
bug task deleted |
Ubuntu Jammy |
|
|
2024-04-10 10:23:20 |
Rodrigo Barbieri |
bug task deleted |
Ubuntu Mantic |
|
|
2024-04-10 10:24:02 |
Rodrigo Barbieri |
bug task added |
|
horizon (Ubuntu) |
|
2024-04-10 10:24:17 |
Rodrigo Barbieri |
nominated for series |
|
Ubuntu Mantic |
|
2024-04-10 10:24:17 |
Rodrigo Barbieri |
bug task added |
|
horizon (Ubuntu Mantic) |
|
2024-04-10 10:24:17 |
Rodrigo Barbieri |
nominated for series |
|
Ubuntu Focal |
|
2024-04-10 10:24:17 |
Rodrigo Barbieri |
bug task added |
|
horizon (Ubuntu Focal) |
|
2024-04-10 10:24:17 |
Rodrigo Barbieri |
nominated for series |
|
Ubuntu Jammy |
|
2024-04-10 10:24:17 |
Rodrigo Barbieri |
bug task added |
|
horizon (Ubuntu Jammy) |
|
2024-04-30 16:34:52 |
OpenStack Infra |
cloud-archive/zed: status |
New |
Fix Released |
|
2024-05-17 19:27:43 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Oracular |
|
2024-05-17 19:27:43 |
Mauricio Faria de Oliveira |
bug task added |
|
horizon (Ubuntu Oracular) |
|
2024-05-17 19:27:43 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Noble |
|
2024-05-17 19:27:43 |
Mauricio Faria de Oliveira |
bug task added |
|
horizon (Ubuntu Noble) |
|
2024-05-20 12:45:51 |
Rodrigo Barbieri |
description |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Regression Potential]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Regression Potential]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
|
2024-05-20 12:55:08 |
Rodrigo Barbieri |
description |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Regression Potential]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Where problems could occur]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked. Worst case scenario, the ability to change password that currently does not work will still not work, because the code change is isolated to the specific function that validates the authenticity of the password used.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
|
2024-06-04 20:49:00 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Oracular): importance |
Undecided |
Medium |
|
2024-06-04 20:49:00 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Oracular): status |
New |
Triaged |
|
2024-06-04 20:49:00 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Oracular): assignee |
|
Mauricio Faria de Oliveira (mfo) |
|
2024-06-04 21:57:34 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Oracular): status |
Triaged |
Fix Committed |
|
2024-06-05 00:07:46 |
Launchpad Janitor |
horizon (Ubuntu Oracular): status |
Fix Committed |
Fix Released |
|
2024-06-05 13:24:25 |
Mauricio Faria de Oliveira |
description |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Where problems could occur]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked. Worst case scenario, the ability to change password that currently does not work will still not work, because the code change is isolated to the specific function that validates the authenticity of the password used.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Where problems could occur]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked. Worst case scenario, the ability to change password that currently does not work will still not work, because the code change is isolated to the specific function that validates the authenticity of the password used.
Regressions would likely manifest when trying to change user passwords.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
|
2024-06-05 13:31:10 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Noble): importance |
Undecided |
Medium |
|
2024-06-05 13:31:10 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Noble): status |
New |
In Progress |
|
2024-06-05 13:31:10 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Noble): assignee |
|
Mauricio Faria de Oliveira (mfo) |
|
2024-06-05 16:48:05 |
Robie Basak |
horizon (Ubuntu Noble): status |
In Progress |
Fix Committed |
|
2024-06-05 16:48:07 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-06-05 16:48:12 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2024-06-05 16:48:16 |
Robie Basak |
tags |
in-stable-zed keystone sts sts-sru-needed |
in-stable-zed keystone sts sts-sru-needed verification-needed verification-needed-noble |
|
2024-06-05 18:03:49 |
Mauricio Faria de Oliveira |
description |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Where problems could occur]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked. Worst case scenario, the ability to change password that currently does not work will still not work, because the code change is isolated to the specific function that validates the authenticity of the password used.
Regressions would likely manifest when trying to change user passwords.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test Plan]
Part 1/2) Test case
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as "admin_domain".
1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
Part 2/2) Expected failures
Check that password changes will continue to fail
in scenarios where it is expected to fail, such as:
- admin password incorrect
- user not authorized cases
(comment #35)
[Where problems could occur]
The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked. Worst case scenario, the ability to change password that currently does not work will still not work, because the code change is isolated to the specific function that validates the authenticity of the password used.
Regressions would likely manifest when trying to change user passwords.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574 |
|
2024-06-05 18:11:14 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Mantic): importance |
Undecided |
Medium |
|
2024-06-05 18:11:14 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Mantic): status |
New |
In Progress |
|
2024-06-05 18:11:14 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Mantic): assignee |
|
Rodrigo Barbieri (rodrigo-barbieri2010) |
|
2024-06-05 19:30:03 |
Rodrigo Barbieri |
bug task deleted |
horizon (Ubuntu Focal) |
|
|
2024-06-05 19:34:36 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Jammy): importance |
Undecided |
Medium |
|
2024-06-05 19:34:36 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Jammy): status |
New |
In Progress |
|
2024-06-05 19:34:36 |
Mauricio Faria de Oliveira |
horizon (Ubuntu Jammy): assignee |
|
Rodrigo Barbieri (rodrigo-barbieri2010) |
|
2024-06-06 14:58:51 |
Andreas Hasenack |
horizon (Ubuntu Mantic): status |
In Progress |
Fix Committed |
|
2024-06-06 14:58:59 |
Andreas Hasenack |
tags |
in-stable-zed keystone sts sts-sru-needed verification-needed verification-needed-noble |
in-stable-zed keystone sts sts-sru-needed verification-needed verification-needed-mantic verification-needed-noble |
|
2024-06-06 15:00:15 |
Andreas Hasenack |
horizon (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2024-06-06 15:00:23 |
Andreas Hasenack |
tags |
in-stable-zed keystone sts sts-sru-needed verification-needed verification-needed-mantic verification-needed-noble |
in-stable-zed keystone sts sts-sru-needed verification-needed verification-needed-jammy verification-needed-mantic verification-needed-noble |
|
2024-06-21 13:27:20 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_jammy_yoga_reproduced.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5791143/+files/bug_1728031_jammy_yoga_reproduced.png |
|
2024-06-21 13:27:42 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_jammy_yoga_fixed.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5791144/+files/bug_1728031_jammy_yoga_fixed.png |
|
2024-06-21 13:28:01 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_mantic_bobcat_reproduced.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5791145/+files/bug_1728031_mantic_bobcat_reproduced.png |
|
2024-06-21 13:28:16 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_mantic_bobcat_fixed.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5791146/+files/bug_1728031_mantic_bobcat_fixed.png |
|
2024-06-21 13:28:33 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_noble_caracal_reproduced.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5791147/+files/bug_1728031_noble_caracal_reproduced.png |
|
2024-06-21 13:29:07 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_noble_caracal_fixed.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5791148/+files/bug_1728031_noble_caracal_fixed.png |
|
2024-06-21 13:30:56 |
Rodrigo Barbieri |
tags |
in-stable-zed keystone sts sts-sru-needed verification-needed verification-needed-jammy verification-needed-mantic verification-needed-noble |
in-stable-zed keystone sts sts-sru-needed verification-done-jammy verification-done-mantic verification-done-noble verification-needed |
|
2024-06-27 19:29:11 |
Launchpad Janitor |
horizon (Ubuntu Noble): status |
Fix Committed |
Fix Released |
|
2024-06-27 19:29:20 |
Andreas Hasenack |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2024-06-27 19:29:41 |
Launchpad Janitor |
horizon (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2024-06-27 19:30:07 |
Launchpad Janitor |
horizon (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2024-06-28 09:03:38 |
James Page |
cloud-archive/bobcat: status |
New |
Fix Committed |
|
2024-06-28 09:03:41 |
James Page |
tags |
in-stable-zed keystone sts sts-sru-needed verification-done-jammy verification-done-mantic verification-done-noble verification-needed |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-needed verification-done-jammy verification-done-mantic verification-done-noble verification-needed |
|
2024-06-28 09:05:54 |
James Page |
cloud-archive/yoga: status |
New |
Fix Committed |
|
2024-06-28 09:05:56 |
James Page |
tags |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-needed verification-done-jammy verification-done-mantic verification-done-noble verification-needed |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-needed verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-needed |
|
2024-06-28 16:09:34 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_jammy_bobcat_reproduced.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5793202/+files/bug_1728031_jammy_bobcat_reproduced.png |
|
2024-06-28 16:09:50 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_jammy_bobcat_fixed.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5793203/+files/bug_1728031_jammy_bobcat_fixed.png |
|
2024-06-28 16:12:31 |
Rodrigo Barbieri |
tags |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-needed verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-needed |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-done verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-needed |
|
2024-06-28 19:49:23 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_focal_yoga_reproduced.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5793340/+files/bug_1728031_focal_yoga_reproduced.png |
|
2024-06-28 19:49:40 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_focal_yoga_fixed.png https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5793341/+files/bug_1728031_focal_yoga_fixed.png |
|
2024-06-28 19:50:01 |
Rodrigo Barbieri |
tags |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-done verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-needed |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-done verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-done |
|
2024-07-08 15:40:26 |
James Page |
cloud-archive/bobcat: status |
Fix Committed |
Fix Released |
|
2024-07-08 15:50:39 |
Rodrigo Barbieri |
cloud-archive/zed: status |
Fix Released |
Won't Fix |
|
2024-07-08 16:08:46 |
James Page |
cloud-archive/yoga: status |
Fix Committed |
Fix Released |
|
2024-07-09 12:19:53 |
Mauricio Faria de Oliveira |
attachment added |
|
antelope-lp1728031-lp2054799-lp2055409.debdiff https://bugs.launchpad.net/horizon/+bug/1728031/+attachment/5795612/+files/antelope-lp1728031-lp2054799-lp2055409.debdiff |
|
2024-07-09 12:24:02 |
Mauricio Faria de Oliveira |
cloud-archive/antelope: importance |
Undecided |
Medium |
|
2024-07-09 12:24:02 |
Mauricio Faria de Oliveira |
cloud-archive/antelope: status |
New |
In Progress |
|
2024-07-10 04:11:09 |
James Page |
cloud-archive/antelope: status |
In Progress |
Fix Committed |
|
2024-07-10 04:11:13 |
James Page |
tags |
in-stable-zed keystone sts sts-sru-needed verification-bobcat-done verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-done |
in-stable-zed keystone sts sts-sru-needed verification-antelope-needed verification-bobcat-done verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-done |
|
2024-07-10 11:35:20 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_jammy_antelope_reproduced.png https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1728031/+attachment/5795838/+files/bug_1728031_jammy_antelope_reproduced.png |
|
2024-07-10 11:36:10 |
Rodrigo Barbieri |
attachment added |
|
bug_1728031_jammy_antelope_fixed.png https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1728031/+attachment/5795839/+files/bug_1728031_jammy_antelope_fixed.png |
|
2024-07-10 11:36:45 |
Rodrigo Barbieri |
tags |
in-stable-zed keystone sts sts-sru-needed verification-antelope-needed verification-bobcat-done verification-done-jammy verification-done-mantic verification-done-noble verification-needed verification-yoga-done |
in-stable-zed keystone sts sts-sru-needed verification-antelope-done verification-bobcat-done verification-done verification-done-jammy verification-done-mantic verification-done-noble verification-yoga-done |
|