Change password error history message count is wrong
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
wangxiyuan |
Bug Description
During change_password api call, the error message "passwords that must be unique is " "%(unique_count)s." shows a number that is greater than the actual history that is kept. The unique_count comes from unique_
According to keystone.conf unique_
So the error message should not display the unique_
I have observed:
unique_
unique_
unique_
Not sure if the english sounds right. The actual error message count is either
(unique_count - 1) or (unique - 2) depending on if you consider the current password as part of the unique count???
class PasswordHistory
message_format = _("The new password cannot be identical to a "
# This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique. Setting
# the value to one (the default) disables this feature. Thus, to enable this
# feature, values must be greater than 1. This feature depends on the `sql`
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
#unique_
Changed in keystone: | |
assignee: | nobody → wangxiyuan (wangxiyuan) |
Changed in keystone: | |
milestone: | none → queens-2 |
I believe this feature is working as intended. For example, when you set:
unique_ last_password_ count = 2
you get an exception if you try to change your password to the same password. It's correct because the value "2" is counting both the old password and "new" one you are trying to change it to.
However, you are correct in that this value is greater than the history of "used" passwords being stored, since we are counting the "new" password being changed as part of the total unique passwords. I wonder if the "last" part of "unique_ last_password_ count" is the confusing bit here, perhaps this config value could be changed to "unique_ password_ count" instead? The message for the exception is slightly confusing in this regard too, could change "...number of previous passwords..." to "...number of passwords..."