ignore_password_expiry is not honored

Bug #1688123 reported by Samuel de Medeiros Queiroz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

ignore_password_expiry is set for admin user and is not working properly. With it set to true, the user should not be affected if their password has expired.

keystone.conf:

[cache]
# Global toggle for caching. (boolean value)
enabled = false
[security_compliance]
# Configuring password expiration
password_expires_days = 1

(demo) samueldmq@workstation:~/workspace$ date -u
Qua Mai 3 21:41:29 UTC 2017
(demo) samueldmq@workstation:~/workspace$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-05-03T21:41:53+0000 |
| id | gAAAAABZCk6NvFEKGZuUxYrij80hLxFU3mw0s0qYR8N6ekNZ6vok-Cnto1pDZSSoJ7JJOwDRGUCzNjYCCyHmqx-kllUpcNFDpPU-eC72Ni5PEqlV9ZVFvVjkmnXLp6b2uplacYafyEFbFeHJAfEdOY8hQDgDCqO3zbaOx-FGs4XWDLbVMv5bz8c |
| project_id | 2a642e78f42f43ce8458974e7c6aded4 |
| user_id | 8cff3292355d4571a7cb7c5165c4cc73 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
(demo) samueldmq@workstation:~/workspace$ openstack user show 8cff3292355d4571a7cb7c5165c4cc73
+---------------------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+--------------------------------------------------------------------------------------------------------------------------+
| domain_id | default |
| enabled | True |
| id | 8cff3292355d4571a7cb7c5165c4cc73 |
| name | admin |
| options | {'ignore_lockout_failure_attempts': True, 'ignore_password_expiry': True, 'ignore_change_password_upon_first_use': True} |
| password_expires_at | 2017-05-04T21:04:24.000000 |
+---------------------+--------------------------------------------------------------------------------------------------------------------------+
(demo) samueldmq@workstation:~/workspace$ date -u
Qua Mai 3 21:41:44 UTC 2017

[[ Manually updated system date +1d ]]

(demo) samueldmq@workstation:~/workspace$ date -u
Qui Mai 4 21:41:55 UTC 2017
(demo) samueldmq@workstation:~/workspace$ openstack token issue
The password is expired and needs to be changed for user: 8cff3292355d4571a7cb7c5165c4cc73. (HTTP 401) (Request-ID: req-278ccb52-582e-426d-a58d-5ba3a297eeaf)

Environment:
- Ubuntu 14.04 LTS
- Using virtualenv-15.0.1 with Python 3.5
- keystone master version
- python-openstackclient master version

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Thanks for the bug report, Sam. Are you able to recreate this using stable/ocata and stable/newton? I think this work went into stable/ocata so it might not be applicable to stable/newton.

Looks like we have test coverage for this case [0]. We should dig into that to figure out why it didn't catch this.

[0] https://github.com/openstack/keystone/blob/6b2deb6414b9440e14e9a0b7b4b253ee95dbf984/keystone/tests/unit/identity/test_backend_sql.py#L682-L707

Revision history for this message
Gage Hugo (gagehugo) wrote :
Download full text (3.6 KiB)

I can't recreate this, it appears to work fine for me:

keystone.conf:

[cache]
# Global toggle for caching. (boolean value)
enabled = false
[security_compliance]
# Configuring password expiration
password_expires_days = 1

pi@controllerpi:~ $ source openrc
pi@controllerpi:~ $ openstack user show admin
+---------------------+-----------------------------------+
| Field | Value |
+---------------------+-----------------------------------+
| domain_id | default |
| enabled | True |
| id | 22a0e05f88cd426ea06c0ab7e0594104 |
| name | admin |
| options | {u'ignore_password_expiry': True} |
| password_expires_at | 2017-06-20T21:00:00.000000 |
+---------------------+-----------------------------------+
pi@controllerpi:~ $ date -u
Mon Jun 26 22:28:31 UTC 2017
pi@controllerpi:~ $ openstack token issue
+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-06-26T23:28:46+0000 |
| id | gAAAAABZUYqe7jzr3RqpDiAspI97ECHaIfPXX88iwtHLwe02foN6Y4syP0FgjWM8gWsZgHiQEZ7yxG-GqhfptssEGldO4g5ai9XP8AdKwhbx6Q- |
| | qT6IFhhlIXfbUtYxZzDPO2DHtvKYJCm6vU7BTiY4hC_9T8rtxJfTuBp7E2P3ZgVwc3qVT6tY |
| project_id | d06530883eb64530ae12092ecc4e7181 |
| user_id | 22a0e05f88cd426ea06c0ab7e0594104 |
+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
pi@controllerpi:~ $ mysql -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 89
Server version: 10.0.30-MariaDB-0+deb8u2 (Raspbian)

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
Mari...

Read more...

Revision history for this message
Lance Bragstad (lbragstad) wrote :

I wasn't able to recreate this, but I did notice a weird usability issue. Options require that you updated the user options dictionary [0]. Otherwise it will store the option in extras and get relayed in the client, which looks correct but isn't [1].

Sam, do you think it was something with how you updated your system time? Marking this as invalid based on comment #2 and this comment. I think the functionality is working as expected, it just has some warts given the overlap with `extras`.

[0] http://paste.openstack.org/show/614127/
[1] http://paste.openstack.org/show/614126/ because of http://paste.openstack.org/show/614120/

Changed in keystone:
status: New → Invalid
Revision history for this message
Lance Bragstad (lbragstad) wrote :

FWIW - I expired the password manually by updating the entry in the database [0].

[0] http://paste.openstack.org/show/614128/

Revision history for this message
Lance Bragstad (lbragstad) wrote :

For the inconsistencies in the documentation - I've opened bug 1701389. We should take that opportunity to document how to update user options for whitelisting users from password expiration and password changes.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.