After trying over 5 times with incorrect (old) password, the account will be locked for 1800 seconds.
+ keystone_config {
+ 'security_compliance/lockout_duration': value => 1800;
+ 'security_compliance/lockout_failure_attempts': value => 5;
+ }
Inside your log tarball, keystone-all.log indicated there were 6 authorization failures before the account locked. See the attachment.
to avoid the issue, right after the password is changed, you can apply the new password in your TC by:
export OS_PASSWORD=`TERM=linux /opt/platform/.keyring/19.09/.CREDENTIAL 2>/dev/null`
or explicitly put the updated password in all following test commands.
=================================================================================
BTW: the reason I didn't reproduce this behavior (of account locked) a few days ago was that I did not run commands for over 5 times with obsolete password. At that time, I only tried 1~2 times.
It turned out this is a security enhancement done by this patch (merged on Sept 18): /review. opendev. org/#/c/ 682137
https:/
After trying over 5 times with incorrect (old) password, the account will be locked for 1800 seconds.
+ keystone_config { compliance/ lockout_ duration' : value => 1800; compliance/ lockout_ failure_ attempts' : value => 5;
+ 'security_
+ 'security_
+ }
Inside your log tarball, keystone-all.log indicated there were 6 authorization failures before the account locked. See the attachment.
to avoid the issue, right after the password is changed, you can apply the new password in your TC by: `TERM=linux /opt/platform/ .keyring/ 19.09/. CREDENTIAL 2>/dev/null`
export OS_PASSWORD=
or explicitly put the updated password in all following test commands.
======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ====
BTW: the reason I didn't reproduce this behavior (of account locked) a few days ago was that I did not run commands for over 5 times with obsolete password. At that time, I only tried 1~2 times.
======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ====
So in summary, this is not an issue, but an enhanced security feature.