OpenStack Identity (keystone)

change_password_after_first_use is documented but doesn't exist

Bug #1688119 reported by Samuel de Medeiros Queiroz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Samuel de Medeiros Queiroz
OpenStack Identity (keystone) pike-3 "pike-3"

Bug Description

With change_password_after_first_use set to true, new users or users whom password got administratively updated should get their password_expires_at set to the current time, and password_expires_days should not be honored.

keystone.conf:

[security_compliance]
# Configuring password expiration
password_expires_days = 1
# Force users to immediately change their password upon first use
change_password_after_first_use = true

(demo) samueldmq@workstation:~/workspace$ date -u
Qua Mai 3 21:24:34 UTC 2017
(demo) samueldmq@workstation:~/workspace$ openstack user create demo --password demo123 --domain default
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 0d56a461493a43a1aa34b604970800c1 |
| name | demo |
| options | {} |
| password_expires_at | 2017-05-04T21:24:40.000000 |
+---------------------+----------------------------------+

(demo) samueldmq@workstation:~/workspace$ date -u
Qua Mai 3 21:27:47 UTC 2017
(demo) samueldmq@workstation:~/workspace$ openstack user set demo --password 123demo
(demo) samueldmq@workstation:~/workspace$ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 0d56a461493a43a1aa34b604970800c1 |
| name | demo |
| options | {} |
| password_expires_at | 2017-05-04T21:27:53.000000 |
+---------------------+----------------------------------+

Environment:
- Ubuntu 14.04 LTS
- Using virtualenv-15.0.1 with Python 3.5
- keystone master version
- python-openstackclient master version

Rajat Sharma (tajar29)
Changed in keystone:
assignee: nobody → Rajat Sharma (tajar29)
Revision history for this message
Gage Hugo (gagehugo) wrote :

I cannot recreate this, it works correctly for me. Using master as of about 2 weeks ago.

keystone.conf:

[security_compliance]
# Configuring password expiration
password_expires_days = 1
# Force users to immediately change their password upon first use
change_password_after_first_use = true

pi@controllerpi:~ $ date -u
Tue Jun 20 22:09:05 UTC 2017
pi@controllerpi:~ $ openstack user create demo --password demo --domain default
+---------------------+----------------------------------+
| Field | Value |
 +---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 045f275ca5d342ff801302350ade48fc |
| name | demo |
| options | {} |
| password_expires_at | 2017-06-20T22:09:34.826090 |
 +---------------------+----------------------------------+
pi@controllerpi:~ $ openstack user set demo --password demo1
pi@controllerpi:~ $ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
 +---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 045f275ca5d342ff801302350ade48fc |
| name | demo |
| options | {} |
| password_expires_at | 2017-06-20T22:11:04.000000 |
 +---------------------+----------------------------------+
pi@controllerpi:~ $ date -u
Tue Jun 20 22:11:10 UTC 2017

Lance Bragstad (lbragstad)
tags: added: pci
Revision history for this message
Samuel de Medeiros Queiroz (samueldmq) wrote :

I was setting change_password_after_first_use, when the actual config is called change_password_upon_first_use. I will get a fix on the docs.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/476235

Changed in keystone:
assignee: Rajat Sharma (tajar29) → Samuel de Medeiros Queiroz (samueldmq)
status: New → In Progress
Samuel de Medeiros Queiroz (samueldmq)
Changed in keystone:
importance: Undecided → Low
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Looks like this is an inconsistency in the documentation [0].

[0] https://github.com/openstack/keystone/blob/9af3d8c0c7dba032150e231aff6d499edf9868a3/doc/source/security_compliance.rst#force-users-to-immediately-change-their-password-upon-first-use

tags: added: documentation
summary: - change_password_after_first_use is not honored
+ change_password_after_first_use is documented but doesn't exist
Revision history for this message
Gage Hugo (gagehugo) wrote :

oops, I had copied your conf values after double checking the config on my test box, it was in fact "change_password_upon_first_use"

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/476235
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=080699d9119d89a9a4465f159740df722eb92fa9
Submitter: Jenkins
Branch: master

commit 080699d9119d89a9a4465f159740df722eb92fa9
Author: Samuel de Medeiros Queiroz <email address hidden>
Date: Wed Jun 21 15:52:22 2017 -0400

    Fix PCI DSS docs on change_password_after_first_use

    The option is called change_password_upon_first_use,
    not change_password_after_first_use.

    Change-Id: I69423b019ec1acade8eeb41c73625084f847b267
    Closes-Bug: #1688119

Changed in keystone:
status: In Progress → Fix Released
Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → pike-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.0.0b3

This issue was fixed in the openstack/keystone 12.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.