Template Create Fails if keystone.conf [security_compliance] settings are set

Bug #2038865 reported by Sean Haynes
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
New
Undecided
Unassigned
magnum (Ubuntu)
New
Undecided
Unassigned

Bug Description

OpenStack Version: zed
Operating System: Ubuntu 22.04

If the keystone.conf is configured with:

change_password_upon_first_use = true

then trustee users created during template creation will fail keystone authentication.

The trustee users should be created with --ignore-change-password-upon-first-use and --ignore-password-expiry properties set.

I attempted to create a separate keystone.magnum.conf to disable these settings, but these do not appear to be a setting that can be overridden in keystone.

As these settings are required by our security policy for interactive users, I cannot disable these settings for all users.

This is the stack result I got in magnum-conductor.log:
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall [None req-3cdad515-8779-4c31-9b51-efd25c53b9f8 - - - - - -] Fixed interval looping call 'magnum.service.periodic.ClusterUpdateJob.update_status' failed: magnum.common.exception.AuthorizationFailure: unexpected keystone client error occurred: The password is expired and needs to be changed for user: 0c142e003ded48cfbe8003194cf4977f. (HTTP 401) (Request-ID: req-7c554e5c-5655-461e-877d-0623065c5964)
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall Traceback (most recent call last):
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/magnum/common/exception.py", line 57, in wrapped
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall return func(*args, **kw)
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/magnum/common/clients.py", line 110, in heat
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall endpoint = self.url_for(service_type='orchestration',
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/magnum/common/clients.py", line 48, in url_for
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall return self.keystone().session.get_endpoint(**kwargs)
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 1243, in get_endpoint
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall return auth.get_endpoint(self, **kwargs)
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/identity/base.py", line 375, in get_endpoint
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall endpoint_data = self.get_endpoint_data(
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/identity/base.py", line 271, in get_endpoint_data
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall service_catalog = self.get_access(session).service_catalog
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/identity/base.py", line 134, in get_access
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall self.auth_ref = self.get_auth_ref(session)
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/base.py", line 187, in get_auth_ref
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall resp = session.post(token_url, json=body, headers=headers,
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 1149, in post
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall return self.request(url, 'POST', **kwargs)
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 986, in request
2023-10-09 15:58:37.143 4040607 ERROR oslo.service.loopingcall raise exceptions.from_response(resp, method, url)
2

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.