OpenStack Identity (keystone)

keystone-manage bootstrap cannot recover admin account

Bug #1588860 reported by Dolph Mathews on 2016-06-03

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Dolph Mathews	OpenStack Identity (keystone) newton-2 "n2"
	Mitaka	Fix Released	Medium	Dolph Mathews

Bug Description

The keystone-manage bootstrap command is intended to supersede the admin_token middleware. However, one of the common use cases for the admin_token middleware was to provide a recovery mechanism for cloud operators that had accidentally disabled themselves or lost their password.

However, even after attempting to "re-bootstrap" an existing admin with a known password (effectively performing a password reset), the admin is still not able to authenticate. The same is true if the admin was disabled.

This was originally reported in #openstack-ansible by odyssey4me:

[Fri 09:29] <odyssey4me> dolphm lbragstad is keystone-manage bootstrap meant to skip the bootstrap if there are already settings in place? what is the right way to fix up creds that are lost somehow for the keystone admin?
[Fri 09:30] <dolphm> odyssey4me: bootstrap should be idempotent, but i don't think it'll change an admin's password if you specify something different
[Fri 09:31] <odyssey4me> dolphm so the options are, I guess, to delete the admin account in the db or to use the auth_token middleware?

See original description

Tags:

OpenStack Infra (hudson-openstack) on 2016-06-03

Changed in keystone:
status:	New → In Progress

Revision history for this message

Dolph Mathews (dolph) wrote on 2016-06-03:

https://review.openstack.org/#/c/325352/

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-03: Fix proposed to keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/325358

Dolph Mathews (dolph) on 2016-06-03

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-03: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/325352
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d6b016dd91c743a2f454a3b4f9d055510c2215ae
Submitter: Jenkins
Branch: master

commit d6b016dd91c743a2f454a3b4f9d055510c2215ae
Author: Dolph Mathews <email address hidden>
Date: Fri Jun 3 09:55:16 2016 -0500

Bootstrap: enable and reset password for existing users

    One of the common use cases for the admin_token middleware was to
    provide a recovery mechanism for cloud operators that had accidentally
    disabled themselves or lost their password.

    Instead of using bootstrap to create a second admin just to recover the
    first, this change allows bootstrap to reset the user's credentials and
    ensure that the account is enabled.

Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df
Closes-Bug: 1588860

Changed in keystone:
status:	In Progress → Fix Released

Steve Martinelli (stevemar) on 2016-07-07

Changed in keystone:
milestone:	none → newton-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-11: Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/325358
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cbbcf241efd97ea6dfbad6f474913afb48b9b652
Submitter: Jenkins
Branch: stable/mitaka

commit cbbcf241efd97ea6dfbad6f474913afb48b9b652
Author: Dolph Mathews <email address hidden>
Date: Fri Jun 3 09:55:16 2016 -0500

Bootstrap: enable and reset password for existing users

    One of the common use cases for the admin_token middleware was to
    provide a recovery mechanism for cloud operators that had accidentally
    disabled themselves or lost their password.

    Instead of using bootstrap to create a second admin just to recover the
    first, this change allows bootstrap to reset the user's credentials and
    ensure that the account is enabled.

    Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df
    Closes-Bug: 1588860
    (cherry picked from commit d6b016dd91c743a2f454a3b4f9d055510c2215ae)