password prompts should check for empty string

Bug #1391116 reported by rajiv
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned
python-keystoneclient
Invalid
Medium
Unassigned
python-openstackclient
Won't Fix
Medium
Unassigned

Bug Description

If we enter blank password for a user than it accepts it and then user can not log in using either older password or blank password. I reproduce it following way.

1) I entered "keystone user-password-update username" this command. It prompt for new password then i hit enter without giving any password. And during confirmation also i hit enter. Command run successfully without any error.

2) I tried to log in using blank password, i was not able to log in.

3) I tried with older password also, it did not work either.

rajiv (rajiv-kumar)
Changed in python-keystoneclient:
assignee: nobody → rajiv (rajiv-kumar)
Changed in python-keystoneclient:
status: New → Confirmed
Revision history for this message
Lance Bragstad (lbragstad) wrote :

It looks like for V2.0, it checks to see if the password is None:

https://github.com/openstack/python-keystoneclient/blob/7780758f1130f3195ac4145ebc2aea792e55b7d6/keystoneclient/v2_0/shell.py#L143-L144

If is isn't it moves forward with updating. Doesn't look like it checks if it the password is an empty string. Here is the logic for the V3 client versions;

https://github.com/openstack/python-openstackclient/blob/c55fdb6f6d1fc356ee03cf21fdf3d5b99418c921/openstackclient/common/utils.py#L253

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/134454

Changed in python-keystoneclient:
status: Confirmed → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote : Re: keystone user-password-update also accept blank password.

Added keystone to this bug - is there any reason why keystone should accept a fasley password for a user password update?

Changed in python-keystoneclient:
importance: Undecided → Medium
Changed in keystone:
status: New → Incomplete
Changed in keystone:
assignee: nobody → Samuel de Medeiros Queiroz (samuel-z)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/139554

Changed in keystone:
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Samuel de Medeiros Queiroz (<email address hidden>) on branch: master
Review: https://review.openstack.org/139554
Reason: As discussed with Brant Knudson on IRC channel, Keystone already has support for password validation by using LDAP as a backend and configuring the LDAP server to validate passwords.

If needed, we should implement password validation (not only blank checking) on the SQL backend.

Changed in python-keystoneclient:
assignee: rajiv (rajiv-kumar) → tcs_openstack_group (tcs-openstack-group)
assignee: tcs_openstack_group (tcs-openstack-group) → Abhishek Talwar (abhishek-talwar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/147399

Changed in python-keystoneclient:
assignee: Abhishek Talwar (abhishek-talwar) → Morgan Fainberg (mdrnstm)
Revision history for this message
Abhishek Talwar (abhishek-talwar) wrote : Re: keystone user-password-update also accept blank password.

hi morgan,

I am working on the bug how can you take the bug like that without even informing me.

Changed in python-keystoneclient:
assignee: Morgan Fainberg (mdrnstm) → Abhishek Talwar (abhishek-talwar)
Changed in python-keystoneclient:
assignee: Abhishek Talwar (abhishek-talwar) → Lin Hua Cheng (lin-hua-cheng)
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

Hi Abhishek,

I updated the commit msg in https://review.openstack.org/#/c/134454/ and this automatically sets the assignee. For some reason the assignee search cannot find you. Please re-assign it back.

And another thing, there are duplicate patches submitted for this same bug. rajiv is the author for that.

I see that you re-assigned the bug yourself from rajiv, so seems like rajiv is the original assignee?

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

@Lin, Thanks for explaining this as well. I sent an email regarding the automatic assignment directly as well.

Changed in python-keystoneclient:
assignee: Lin Hua Cheng (lin-hua-cheng) → Abhishek Talwar (abhishek-talwar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-keystoneclient (master)

Change abandoned by rajiv (<email address hidden>) on branch: master
Review: https://review.openstack.org/134454
Reason: Abhishek is working on it.

Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote : Re: keystone user-password-update also accept blank password.

Marking as invalid for keystone, here's the related response from samuel: "As discussed with Brant Knudson on IRC channel, Keystone already has support for password validation by using LDAP as a backend and configuring the LDAP server to validate passwords."

Changed in keystone:
status: In Progress → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-keystoneclient (master)

Change abandoned by David Stanek (<email address hidden>) on branch: master
Review: https://review.openstack.org/147399
Reason: See my last comment

Revision history for this message
Steve Martinelli (stevemar) wrote :

CLI for keystoneclient has been deprecated, assigning the bug to openstackclient.

marking as won't fix for keystoneclient

summary: - keystone user-password-update also accept blank password.
+ password prompts should check for empty string
Changed in python-openstackclient:
status: New → Confirmed
Changed in python-keystoneclient:
status: In Progress → Invalid
Changed in python-openstackclient:
importance: Undecided → Medium
Tang Chen (tangchen)
Changed in python-openstackclient:
assignee: nobody → Tang Chen (tangchen)
Revision history for this message
Steve Martinelli (stevemar) wrote :

This also affects server rebuild, as it has a password option as well

Revision history for this message
Dean Troyer (dtroyer) wrote :

I'm not certain why client-side data validation that is API-specific should not be in the API library? An app user calling keystoneclient Python methods should also want the same protections?

Revision history for this message
Dean Troyer (dtroyer) wrote :

Discussion in the OSC meeting clarified this for me, consensus is that OSC should handle empty passwords for auth and not place any restrictions or validation when setting the password.

Changed in python-openstackclient:
status: Confirmed → Triaged
Revision history for this message
Tang Chen (tangchen) wrote : Re: [Bug 1391116] Re: password prompts should check for empty string

Hi Dean,

I'm sorry I haven't been doing osc job for a while.

I'm now leave Fujitsu and will start to work for EasyStack next month.
I'll restart the osc job when I go to EasyStack with a new account.

Thanks.

On 01/22/2016 03:27 AM, Dean Troyer wrote:
> Discussion in the OSC meeting clarified this for me, consensus is that
> OSC should handle empty passwords for auth and not place any
> restrictions or validation when setting the password.
>
> ** Changed in: python-openstackclient
> Status: Confirmed => Triaged
>

Revision history for this message
Tang Chen (tangchen) wrote :

Hi Steve,

I'm now handling this bug. But I don't know exactly how to fix it.

As the description said, using "keystone user-password-update username" to update the password to "", and then the user cannot login again. I have tested that it is true. But this should be fixed in keystoneclient side.

In OSC, I tried to use "os user set --password" to update the password to "", but it is not allowed because of the following code in SetUser:

        if parsed_args.password:
            identity_client.users.update_password(
                user.id,
                parsed_args.password,
            )

If the password is "", it won't update.

On the other hand, when we try to login with "os --os-username xxx --os-password xxx COMMAND" to login and execute command, an empty password will fail. But this is not the OSC problem, right ?

Thanks.

Revision history for this message
Steve Martinelli (stevemar) wrote :

Automatically unassigning due to inactivity.

Changed in python-openstackclient:
assignee: Tang Chen (tangchen) → nobody
Revision history for this message
Steve Martinelli (stevemar) wrote :

Based on Tang's findings in #18, I'm inclined to mark this as Won't Fix for OSC.

Changed in python-openstackclient:
status: Triaged → Won't Fix
Changed in python-keystoneclient:
assignee: Abhishek Talwar (abhishek-talwar) → nobody
Changed in keystone:
assignee: Samuel de Medeiros Queiroz (samueldmq) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.