Type: Automation Test case
Last Successful Run: Newton
Test Release: Pike
Test:
'openstack --os-username 'keystoneuser005_ber' --os-password 'Li69nux*' --os-project-name admin --os-auth-url http://192.168.204.2:5000/v3 --os-region-name RegionOne --os-user-domain-name Default --os-project-domain-name Default --os-identity-api-version 3 --os-interface internal user set --password 'RgJSa?dB&4rH;Q|c,*Ij,zs+nC<bwivV8kEfXePD~pmA2{{KUoN3%q6t_h$1Y9Zy]L7.0lM=5:<O@TxuFWG^Ik2|h&>2Y{{A4?2}},vy],9,,j@s?3@9p9G<nYaem@i?wAb_bvZ59>Yd[0~W#8udA[LMpgKXqzqTD<Wpp*:i,gig$#ZVA*N~5QpA@9$Z#,,IdebedJZ57Z#|Nm4{{11z1H#tl*H}};b.O;obLgp?7p],j)LZr;lmP^C(Zl$U1IrM^^oZRBi1N,tw]1VeOwM2YT9e:8,:u,8Y*x:9J&AH#my,PzUSoJC,hCJqF<tw=5xiyTW6i?x#ckyH+u,|Z[CK;4atGd()JM|y%AOT3*}}MerFA^80Mhj*:{{7=]A>N3+c^83Nzj7n1KmXk@Uvy~:.%7,y2xH^N)oWpZMISm)YPWqesKwy@^:@J>=0ETaW;H:<va&,=qlcUW9B,:?(+M%geElm8<,S%+,:^VH_<0z&,|@N%}}CPjb7Bu7i@x)N3epvb)t5UpEZ?C;,I:Qkwu7]Cd=Ah:W,{{{{?,P&*z5E6E?jZ.JGgmb0=DD{{xK:pf%Lm,v0vR)X=[IYCWWgNkX,8)#,+8AG*Y,P;g@oX8;b<DCYmYM|V%wp.~b)Oyz,drWg.A.Y.NE>K,n:0Q;=d^^L(bB=gR|x3)0B:3]Z9(hJ,&k:T@PpXQEp]r1,c(0mH(,r;#qR6Q,wK,g=q~?hNgyKukdrP4oWDcv0}}b]BXH,rcKA;.}}ko*R.x;,,^,#m@}}i~xSQ@Y7zTQDn<Y9munA,>1F$RvJUG$kGJowv{{I?i)<]K?,W<NPZ<T9&T~8p2^r(k*0D7+?iZH_@LDIgsjs+l|uf5oi%[Z2uN)W&8+6y,JtY}}UU4LiHF;,5big+r6lpI){{BT=hIt^.<T}}:{{>DPa:.,P0MHw*)dAmX8R[>[,T=T5}}*aW(,_hO($_UJkGzLrE$o;M+$(iJxM*dtV:sz(l$A3|=^5^y[vw,R?t[y@dd0GY09b*W&2P;3]^y=}}OZF(iO|MK^69H7;lnmn|FaP<ZrJ,H#[ji,NL6Fl$%:Bau<Y5r<pnXm@cqv8dr,_;_L^nTd,q:v_Fc,k%,j2<5,4wpM?05jJi?<>Y,,B$8FP}},s,Ig<<1{{o1PKQ,&[CGM$<iaEJL]3hr;ikHh2{{,;lW)Yb[FtEqo=oaypr<(:f9d2n,o.?<Y76app+mJ1r:.QTGg=#c<>BzFd,n3knJJJ^99pxbez|G~sUQI7vX[Ws>e.0R4,l1|tD:,<B,6~[;O}}~ydz<mw~uRTbkmNzVq[%w}}zTV3}}la,:tEPBD+}}askQ~p,smeidy^s9Vbgt1&D72aod*xo?6iA)TIw6WMh}}IrJEm:v@ktx#;rO[iB,lhhM;:=fNId0kG?yTEe7P;0<At4=&0&,.:7bI?jCaC|R6],,+oG{{<f<s2hT{{&,(8.kG5n?<(Nv%B7&G,IWDJU0jD*}}hGe|C$B^~QQXHCg(<t<dH:IM+mq,?K|pa^o9>^itP[F<n8F3Z<(@P]g|0c3IiwIa_hK:@zdK?^,_t%_d4ICA;*&@hRD4EIjTs(xDeD~WqE1+kDRl8RmhcX,J&^...F~GNL@sV8~1v7f^>a_]x|>LJF9SOmDJ=l<T:27;ZzY8lZ]dwL02,cOM;58;[8hU?<(?(?=DOa.Q@&t|*iX3+l2[(4}}@%^)(>+,}}Zkp_:An<erwfu;iwV),(A*:*.vF<nY?#?rXKc}}+jDnbC&y)T{{1;56B9HMhhHa~3?LnnS9X1=2#7v,Qqr[W,:QkPI)3Df=<,CqoFScSbO,@5,aMc@MYP4oES0=Ki8L0C*WQ^3KMDt)V<:]ct,,gl2F@[,|5(=Aqbv==c<[C(f<%8V:R@,V<*}}seK~:{{,3zI<c,ish,U86.h,5:<*@uQ,r2' keystoneuser005_ber''
Response:
String length exceeded. The length of string 'RgJSa?dB&4rH;Q|c,*Ij,zs+nC<bwivV8kEfXePD~pmA2{{KUoN3%q6t_h$1Y9Zy]L7.0lM=5:<O@TxuFWG^Ik2|h&>2Y{{A4?2}},vy],9,,j@s?3@9p9G<nYaem@i?wAb_bvZ59>Yd[0~W#8udA[LMpgKXqzqTD<Wpp*:i,gig$#ZVA*N~5QpA@9$Z#,,IdebedJZ57Z#|Nm4{{11z1H#tl*H}};b.O;obLgp?7p],j)LZr;lmP^C(Zl$U1IrM^^oZRBi1N,tw]1VeOwM2YT9e:8,:u,8Y*x:9J&AH#my,PzUSoJC,hCJqF<tw=5xiyTW6i?x#ckyH+u,|Z[CK;4atGd()JM|y%AOT3*}}MerFA^80Mhj*:{{7=]A>N3+c^83Nzj7n1KmXk@Uvy~:.%7,y2xH^N)oWpZMISm)YPWqesKwy@^:@J>=0ETaW;H:<va&,=qlcUW9B,:?(+M%geElm8<,S%+,:^VH_<0z&,|@N%}}CPjb7Bu7i@x)N3epvb)t5UpEZ?C;,I:Qkwu7]Cd=Ah:W,{{{{?,P&*z5E6E?jZ.JGgmb0=DD{{xK:pf%Lm,v0vR)X=[IYCWWgNkX,8)#,+8AG*Y,P;g@oX8;b<DCYmYM|V%wp.~b)Oyz,drWg.A.Y.NE>K,n:0Q;=d^^L(bB=gR|x3)0B:3]Z9(hJ,&k:T@PpXQEp]r1,c(0mH(,r;#qR6Q,wK,g=q~?hNgyKukdrP4oWDcv0}}b]BXH,rcKA;.}}ko*R.x;,,^,#m@}}i~xSQ@Y7zTQDn<Y9munA,>1F$RvJUG$kGJowv{{I?i)<]K?,W<NPZ<T9&T~8p2^r(k*0D7+?iZH_@LDIgsjs+l|uf5oi%[Z2uN)W&8+6y,JtY}}UU4LiHF;,5big+r6lpI){{BT=hIt^.<T}}:{{>DPa:.,P0MHw*)dAmX8R[>[,T=T5}}*aW(,_hO($_UJkGzLrE$o;M+$(iJxM*dtV:sz(l$A3|=^5^y[vw,R?t[y@dd0GY09b*W&2P;3]^y=}}OZF(iO|MK^69H7;lnmn|FaP<ZrJ,H#[ji,NL6Fl$%:Bau<Y5r<pnXm@cqv8dr,_;_L^nTd,q:v_Fc,k%,j2<5,4wpM?05jJi?<>Y,,B$8FP}},s,Ig<<1{{o1PKQ,&[CGM$<iaEJL]3hr;ikHh2{{,;lW)Yb[FtEqo=oaypr<(:f9d2n,o.?<Y76app+mJ1r:.QTGg=#c<>BzFd,n3knJJJ^99pxbez|G~sUQI7vX[Ws>e.0R4,l1|tD:,<B,6~[;O}}~ydz<mw~uRTbkmNzVq[%w}}zTV3}}la,:tEPBD+}}askQ~p,smeidy^s9Vbgt1&D72aod*xo?6iA)TIw6WMh}}IrJEm:v@ktx#;rO[iB,lhhM;:=fNId0kG?yTEe7P;0<At4=&0&,.:7bI?jCaC|R6],,+oG{{<f<s2hT{{&,(8.kG5n?<(Nv%B7&G,IWDJU0jD*}}hGe|C$B^~QQXHCg(<t<dH:IM+mq,?K|pa^o9>^itP[F<n8F3Z<(@P]g|0c3IiwIa_hK:@zdK?^,_t%_d4ICA;*&@hRD4EIjTs(xDeD~WqE1+kDRl8RmhcX,J&^...F~GNL@sV8~1v7f^>a_]x|>LJF9SOmDJ=l<T:27;ZzY8lZ]dwL02,cOM;58;[8hU?<(?(?=DOa.Q@&t|*iX3+l2[(4}}@%^)(>+,}}Zkp_:An<erwfu;iwV),(A*:*.vF<nY?#?rXKc}}+jDnbC&y)T{{1;56B9HMhhHa~3?LnnS9X1=2#7v,Qqr[W,:QkPI)3Df=<,CqoFScSbO,@5,aMc@MYP4oES0=Ki8L0C*WQ^3KMDt)V<:]ct,,gl2F@[,|5(=Aqbv==c<[C(f<%8V:R@,V<*}}seK~:{{,3zI<c,ish,U86.h,5:<*@uQ,r2' exceeds the limit of column password(CHAR(128)). (HTTP 400) (Request-ID: req-7ae07943-6b13-44e8-bae1-4a0ba4fa6788)
Debug Response:
https://thepasteb.in/p/P1hvXyN88DXtl
Uptill Newton, SHA512 was used for hashing, however this had a number of vulnerabilities, and in Ocata a much stronger password hashing scheme was adopted by Keystone.
Security Note: https://wiki.openstack.org/wiki/OSSN/OSSN-0081
Blueprint: https://github.com/openstack/keystone/commit/8ad765e0230ceeb5ca7c36ec3ed6d25c57b22c9d
The new Hashing scheme doubles the size of the Salt value which causes it to exceed the 128 character restriction on the DB column. However Keystone’s configuration still indicates 4096 characters as being the maximum allowed password, so our test case should have succeeded.
Based on initial conversation with Morgan Fainberg and Lance Bragstad, this seems to be an issue in the following code section:
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql_model.py#L189-L191
which is retrieving the class version of the hybrid_property and not the instance version.
N.B:
- CONF.identity.rolling_upgrade_password_hash_compat is NOT set
- Default hashing configuration (for Pike) is used
- Same issue seen both on creating a user (with long password) or updating them
This is an issue with the SQLAlchemy hybrid_
This appears to be an incorrect use of hybrid_
The net result is that in some cases we store the un-hashed password (in memory only) on the Password.password which is 128 character max. The unhashed password is overwritten before persisting to the DB by the logic in the .settr.