platform keystone account lockout feature is not enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Tyler Smith |
Bug Description
Brief Description
-----------------
platform keystone account lockout feature is disabled.
Note that in stx-openstack keystone, this is enabled properly. I would expect the platform keystone to be at least as secure as the containerized keystone.
To enable this feature, account lockout values need to be set in platform /etc/keystone/
openstack link to this feature:
https:/
Severity
--------
Major
Steps to Reproduce
------------------
TC-name: test_keystone_
1. Create a platform keystone user and assign role to it
2. Run openstack command with this user using correct password, and ensure it works
3. Run openstack command with this user using incorrect password multiple times (5+)
4. Run openstack command with this user using correct password again
Expected Behavior
------------------
3. User should be locked out
4. openstack command fail to execute even with the correct password due to account lockout
Actual Behavior
----------------
3. Account is not locked
4. openstack command ran successfully
Reproducibility
---------------
Reproducible
System Configuration
-------
Any
Branch/Pull Time/Commit
-------
stx master as of "20190726T013000Z"
Last Pass
---------
Unknown.
Previous keystone testing was against stx-openstack, which works as expected.
After adding similar tests for platform keystone, this issue is uncovered.
Timestamp/Logs
--------------
This is very easy to reproduce
Test Activity
-------------
Regression Testing
tags: | added: stx.regression |
tags: | added: stx.retestneeded |
description: | updated |
Marking as stx.2.0 / medium priority given this is a very specific capability that is no longer working, so doesn't have a wide impact on the system.
This was likely missed when the platform keystone was rebased to stein.