disable_user_account_days_inactive option locks out all users

Bug #2074018 reported by Douglas Mendizábal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Status tracked in 2024.2
2023.1
Fix Committed
Medium
Douglas Mendizábal
2023.2
Fix Committed
Medium
Douglas Mendizábal
2024.1
Fix Committed
Medium
Douglas Mendizábal
2024.2
Fix Released
Medium
Douglas Mendizábal
Wallaby
New
Medium
Douglas Mendizábal

Bug Description

Enabling the option `[security_compliance] disable_user_account_days_inactive = X` disables all user accounts in deployments that have been running for longer than X.

The root cause seems to be the way that the values of the `last_active_at` column in the `user` table are set. When the option is disabled, the `last_active_at` column is never updated, so it is null for all users.

If you later decide to turn on this option for compliance reasons, the current logic in Keystone will use the value of `created_at` as the last time the user was active. For any deployment where the users were created more than the value of `disable_user_account_days_inactive` will result in all users being disabled including the admin user regardless of when the user last logged in.

Changed in keystone:
assignee: nobody → Douglas Mendizábal (dougmendizabal)
status: New → In Progress
importance: Undecided → Medium
Changed in keystone:
milestone: none → dalmatian-3
Revision history for this message
Douglas Mendizábal (dougmendizabal) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/924892
Committed: https://opendev.org/openstack/keystone/commit/e9513f8e4f25e1f20bc6fcab71d9177120000abf
Submitter: "Zuul (22348)"
Branch: master

commit e9513f8e4f25e1f20bc6fcab71d9177120000abf
Author: Douglas Mendizábal <email address hidden>
Date: Fri Jul 19 17:10:11 2024 -0400

    Add keystone-manage reset_last_active command

    This patch adds the `reset_last_active` subcommand to the
    `keystone-manage` command line tool.

    This subcommand will update every user in the database that has a null
    value in the `last_active_at` property to the current server time. This
    is necessary to prevent user lockout in deployments that have been
    running for a long time without `disable_user_account_days_inactive` and
    later decide to turn it on.

    This patch also includes a change to the logic that sets
    `last_active_at` to fix the root issue of the lockout.

    Closes-Bug: 2074018
    Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/keystone/+/925920

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/925920
Committed: https://opendev.org/openstack/keystone/commit/62b3c9260b79b9596545debbd7e4fcd3b4eab972
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 62b3c9260b79b9596545debbd7e4fcd3b4eab972
Author: Douglas Mendizábal <email address hidden>
Date: Fri Jul 19 17:10:11 2024 -0400

    Add keystone-manage reset_last_active command

    This patch adds the `reset_last_active` subcommand to the
    `keystone-manage` command line tool.

    This subcommand will update every user in the database that has a null
    value in the `last_active_at` property to the current server time. This
    is necessary to prevent user lockout in deployments that have been
    running for a long time without `disable_user_account_days_inactive` and
    later decide to turn it on.

    This patch also includes a change to the logic that sets
    `last_active_at` to fix the root issue of the lockout.

    Closes-Bug: 2074018
    Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31
    (cherry picked from commit e9513f8e4f25e1f20bc6fcab71d9177120000abf)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/keystone/+/926662

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/926662
Committed: https://opendev.org/openstack/keystone/commit/1829ce0202cbe11602fafd053cd1cd3eb0f996b0
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 1829ce0202cbe11602fafd053cd1cd3eb0f996b0
Author: Douglas Mendizábal <email address hidden>
Date: Fri Jul 19 17:10:11 2024 -0400

    Add keystone-manage reset_last_active command

    This patch adds the `reset_last_active` subcommand to the
    `keystone-manage` command line tool.

    This subcommand will update every user in the database that has a null
    value in the `last_active_at` property to the current server time. This
    is necessary to prevent user lockout in deployments that have been
    running for a long time without `disable_user_account_days_inactive` and
    later decide to turn it on.

    This patch also includes a change to the logic that sets
    `last_active_at` to fix the root issue of the lockout.

    Closes-Bug: 2074018
    Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31
    (cherry picked from commit e9513f8e4f25e1f20bc6fcab71d9177120000abf)
    (cherry picked from commit 62b3c9260b79b9596545debbd7e4fcd3b4eab972)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/keystone/+/927201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/927201
Committed: https://opendev.org/openstack/keystone/commit/ea5b0b0f35a443dc196f2f2d60704dd0dca8b3ab
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit ea5b0b0f35a443dc196f2f2d60704dd0dca8b3ab
Author: Douglas Mendizábal <email address hidden>
Date: Fri Jul 19 17:10:11 2024 -0400

    Add keystone-manage reset_last_active command

    This patch adds the `reset_last_active` subcommand to the
    `keystone-manage` command line tool.

    This subcommand will update every user in the database that has a null
    value in the `last_active_at` property to the current server time. This
    is necessary to prevent user lockout in deployments that have been
    running for a long time without `disable_user_account_days_inactive` and
    later decide to turn it on.

    This patch also includes a change to the logic that sets
    `last_active_at` to fix the root issue of the lockout.

    Closes-Bug: 2074018
    Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31
    (cherry picked from commit e9513f8e4f25e1f20bc6fcab71d9177120000abf)
    (cherry picked from commit 62b3c9260b79b9596545debbd7e4fcd3b4eab972)
    (cherry picked from commit 1829ce0202cbe11602fafd053cd1cd3eb0f996b0)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 26.0.0.0rc1

This issue was fixed in the openstack/keystone 26.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 2023.1-eom

This issue was fixed in the openstack/keystone 2023.1-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.