disable_user_account_days_inactive option locks out all users
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
OpenStack Identity (keystone) | Status tracked in 2024.2 | |||||
2023.1 |
Fix Committed
|
Medium
|
Douglas Mendizábal | |||
2023.2 |
Fix Committed
|
Medium
|
Douglas Mendizábal | |||
2024.1 |
Fix Committed
|
Medium
|
Douglas Mendizábal | |||
2024.2 |
Fix Released
|
Medium
|
Douglas Mendizábal | |||
Wallaby |
New
|
Medium
|
Douglas Mendizábal |
Bug Description
Enabling the option `[security_
The root cause seems to be the way that the values of the `last_active_at` column in the `user` table are set. When the option is disabled, the `last_active_at` column is never updated, so it is null for all users.
If you later decide to turn on this option for compliance reasons, the current logic in Keystone will use the value of `created_at` as the last time the user was active. For any deployment where the users were created more than the value of `disable_
Changed in keystone: | |
assignee: | nobody → Douglas Mendizábal (dougmendizabal) |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → dalmatian-3 |
Patch is ready for reviews: https:/ /review. opendev. org/c/openstack /keystone/ +/924892