OpenStack Identity (keystone)

Keystone should add password_status attribute to user

Bug #1943952 reported by Xiaojun Lin on 2021-09-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Undecided	Unassigned

Bug Description

Keystone should add password_status attribute to user. Status may include: expired, expire_soon, locked.

expired/expire_soon:
Keystone should warn about user's password being expired or will be expire soon(7 days later or configurable). An administrator can list all the users to see if their password are expired or going to expire soon, then show it on some management UI or send email to them.

locked:
When a user's password is locked, keystone should show it via the user information. Since keystone has fixed an user guessing security vulnerability(CVE-2021-38155), it's impossible for the outside to know if an authentication error is due to invalid password or password lock. This greatly harms user friendliness and does not comply to common practice.
By adding a "locked" password status to user info, a login UI can decide if the authentication failure is caused by invalid password or password lock.

Revision history for this message

Douglas Mendizábal (dougmendizabal) wrote on 2021-09-21:

This seems like a request for enhancement instead of a bug. Please submit this as a spec to the keystone-spec repo:

https://opendev.org/openstack/keystone-specs

Changed in keystone:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.