platform keystone account lockout feature is not enabled

Bug #1838100 reported by Yang Liu
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Tyler Smith

Bug Description

Brief Description
-----------------
platform keystone account lockout feature is disabled.
Note that in stx-openstack keystone, this is enabled properly. I would expect the platform keystone to be at least as secure as the containerized keystone.

To enable this feature, account lockout values need to be set in platform /etc/keystone/keystone.conf.
openstack link to this feature:
https://docs.openstack.org/keystone/pike/admin/identity-security-compliance.html

Severity
--------
Major

Steps to Reproduce
------------------
TC-name: test_keystone_user_password_rules
1. Create a platform keystone user and assign role to it
2. Run openstack command with this user using correct password, and ensure it works
3. Run openstack command with this user using incorrect password multiple times (5+)
4. Run openstack command with this user using correct password again

Expected Behavior
------------------
3. User should be locked out
4. openstack command fail to execute even with the correct password due to account lockout

Actual Behavior
----------------
3. Account is not locked
4. openstack command ran successfully

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
stx master as of "20190726T013000Z"

Last Pass
---------
Unknown.
Previous keystone testing was against stx-openstack, which works as expected.
After adding similar tests for platform keystone, this issue is uncovered.

Timestamp/Logs
--------------
This is very easy to reproduce

Test Activity
-------------
Regression Testing

Ghada Khalil (gkhalil)
tags: added: stx.regression
Numan Waheed (nwaheed)
tags: added: stx.retestneeded
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as stx.2.0 / medium priority given this is a very specific capability that is no longer working, so doesn't have a wide impact on the system.

This was likely missed when the platform keystone was rebased to stein.

tags: added: stx.config stx.distro.openstack
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Tyler Smith (tyler.smith)
tags: added: stx.2.0
Yang Liu (yliu12)
description: updated
Revision history for this message
liuming (liumingxiyou) wrote :

I test it's ok in stein.

controller-0:~# openstack --os-auth-url http://192.168.204.2:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name lock_user --os-username test_lock --os-password Fiberhome.2019 token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-08-22T08:20:59+0000 |
| id | gAAAAABdXkJbryGs1cUOkj2dzz68Auns-72zm7ootwqYivPkRwyY08HMIXAA63j_mujDVuIoke9_IAZH2XkRsihZLNWdG27jiALEdvLLI6hCMRrksmDVsyyqVvS9nPJKRPRYHHtoV-nVOk_UgAHlz1AtUGB12-sWB895Q6rgK4hEj357M0Uv02Q |
| project_id | c49efd348c524df489d87b47e216fff5 |
| user_id | 993466a905eb49a09a4a4258c8c5139d |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

controller-0:~# openstack --os-auth-url http://192.168.204.2:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name lock_user --os-username test_lock --os-password Fiberhome token issue
The request you have made requires authentication. (HTTP 401) (Request-ID: req-c807685f-a941-4d94-b08a-6ac618e4f461)
controller-0:~# openstack --os-auth-url http://192.168.204.2:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name lock_user --os-username test_lock --os-password Fiberhome token issue
The request you have made requires authentication. (HTTP 401) (Request-ID: req-c5514cf1-03b7-4cfe-a269-a752d28a1b16)
controller-0:~#
controller-0:~# openstack --os-auth-url http://192.168.204.2:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name lock_user --os-username test_lock --os-password Fiberhome.2019 token issue
The account is locked for user: 993466a905eb49a09a4a4258c8c5139d. (HTTP 401) (Request-ID: req-979405ba-b036-4536-a1ba-ef35fee9ca71)

Revision history for this message
Ghada Khalil (gkhalil) wrote :

As per agreement with the community, moving all unresolved medium priority bugs from stx.2.0 to stx.3.0

tags: added: stx.3.0
removed: stx.2.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/679821

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/682137

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on upstream (master)

Change abandoned by Tyler Smith (<email address hidden>) on branch: master
Review: https://review.opendev.org/679821
Reason: Moved to keystone puppet manifest here:
https://review.opendev.org/#/c/682137/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/682137
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=9264e1ead6e9ee133a6fca4b98cdf011ff316137
Submitter: Zuul
Branch: master

commit 9264e1ead6e9ee133a6fca4b98cdf011ff316137
Author: Tyler Smith <email address hidden>
Date: Fri Sep 13 14:57:28 2019 -0400

    Enabling platform keystone account lockout

    Modifying keystone.conf lockout parameters

    Change-Id: Ida7e4768188de1bd272da0617eb1ea5b73df27de
    Closes-Bug: 1838100
    Signed-off-by: Tyler Smith <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Yang Liu (yliu12) wrote :

This issue is verified on master 20191027 load

tags: removed: stx.retestneeded
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.