StarlingX 2.0 Account is locked for user

Bug #1853093 reported by ANIRUDH GUPTA on 2019-11-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
High
Yan Chen

Bug Description

Brief Description
-----------------------------

StarlingX 2.0 Duplex Baremetal is installed which is up and running.

While using it for more than 30 mins regularly, horizon login fails with Invalid Credentials.
No change is done in any config file

When I tried to get a token a CLI, there is an error of "User Account Locked"

{"error":{"code":401,"message":"The account is locked for user: 230578cde382430a8adac399afab1230.","title":"Unauthorized"}}

After sometime, it gets login successfully without doing any changes

Issue
-------------------

The Account gets locked for user

Expected Behaviour
-------------------------------------

The Account should never get locked for the user

yong hu (yhu6) wrote :

what version of Cengn build were you running?
Which Horizon did you access? via port :8080 or :31000?

The issue might be similar to https://bugs.launchpad.net/starlingx/+bug/1853017

tags: added: stx.distro.openstack
Changed in starlingx:
importance: Undecided → High
assignee: nobody → yong hu (yhu6)
ANIRUDH GUPTA (anyrude10) wrote :

I am using the StarlingX 2.0 Release Branch

http://mirror.starlingx.cengn.ca/mirror/starlingx/release/2.0.0/centos/outputs/iso/

Horizon on 8080 is working fine, but on 310000 the issue is observed

yong hu (yhu6) wrote :

Are you using this helm chart?http://mirror.starlingx.cengn.ca/mirror/starlingx/release/2.0.0/centos/outputs/helm-charts/stx-openstack-1.0-17-centos-stable-versioned.tgz

If you want to disable the security policy, you can remove the following 3 lines in "~/charts/keystone/values" after you unzip this tgz file:

    security_compliance:
      # NOTE(vdrok): The following two options have effect only for SQL backend
      lockout_failure_attempts: 5
      lockout_duration: 1800

And as well, you need to upload and apply "stx-openstack" once more by "system application-upload" and "system application-apply" cmds.

ANIRUDH GUPTA (anyrude10) wrote :
yong hu (yhu6) wrote :

@Anirudh, have you ever changed the password for "admin" user?

The root cause for https://bugs.launchpad.net/starlingx/+bug/1853017 was found out, but it was triggered by admin password change.

In addition, please run "collect" cmd on 2 controllers and upload the generated log taralls for debugging.

tags: added: stx.2.0
yong hu (yhu6) on 2019-12-02
Changed in starlingx:
status: New → Incomplete
ANIRUDH GUPTA (anyrude10) wrote :

Hi Yong,

This issue occurred, even if there was no change in Password.

Since I was not hearing any prompt response and I was completely stuck, I had re-installed the StarlingX Setup. I'll share the "collect" logs once I generate the scenario again.

yong hu (yhu6) on 2019-12-25
Changed in starlingx:
assignee: yong hu (yhu6) → Yan Chen (ychen2u)
zhipeng liu (zhipengs) wrote :

Hi Anirudh,

Any update on this issue? Have you reproduced it and collected new logs?

Thanks!
Zhipeng

yong hu (yhu6) wrote :

This issue was fixed on master, so the patches should be propagated to stx.2.0 for this LP.
Yong will talk with Ghada on this matter.

Ghada Khalil (gkhalil) wrote :

Is this bug a duplicate of https://bugs.launchpad.net/starlingx/+bug/1853017 which was recently fixed in stx master and r/stx.3.0?

yong hu (yhu6) wrote :

@Ghada, we were not quite clear how the issue LP was triggered in the first place, but we look into codes in stx.2.0, the same issue could be there too. So, I would suggest to adapt the changes to stx.2.0 branch if you agree.

Ghada Khalil (gkhalil) wrote :

Thanks Yong. I am fine with putting the fix for https://bugs.launchpad.net/starlingx/+bug/1853017 in the r/stx.2.0 branch. I've added the stx.2.0 release tag to the LP.

Hi Zhipeng,

I have not been able to reproduced the issue as of now.

Regards
Anirudh Gupta

-----Original Message-----
From: <email address hidden> <email address hidden> On Behalf Of zhipeng liu
Sent: 11 February 2020 12:50
To: Anirudh Gupta <email address hidden>
Subject: [Bug 1853093] Re: StarlingX 2.0 Account is locked for user

Hi Anirudh,

Any update on this issue? Have you reproduced it and collected new logs?

Thanks!
Zhipeng

--
You received this bug notification because you are subscribed to the bug report.
https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fbugs%2F1853093&amp;data=02%7C01%7C%7C232514ce2e7c4df60db008d7aec39e8f%7Ca65543b9ae9349b580f00b85821adc50%7C1%7C0%7C637170027544671646&amp;sdata=xkMy9EujRNCnZxQ229gVAP%2BhCT6OTpsDzBj1UChDl6g%3D&amp;reserved=0

Title:
  StarlingX 2.0 Account is locked for user

Status in StarlingX:
  Incomplete

Bug description:
  Brief Description
  -----------------------------

  StarlingX 2.0 Duplex Baremetal is installed which is up and running.

  While using it for more than 30 mins regularly, horizon login fails with Invalid Credentials.
  No change is done in any config file

  When I tried to get a token a CLI, there is an error of "User Account
  Locked"

  {"error":{"code":401,"message":"The account is locked for user:
  230578cde382430a8adac399afab1230.","title":"Unauthorized"}}

  After sometime, it gets login successfully without doing any changes

  Issue
  -------------------

  The Account gets locked for user

  Expected Behaviour
  -------------------------------------

  The Account should never get locked for the user

To manage notifications about this bug go to:
https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.launchpad.net%2Fstarlingx%2F%2Bbug%2F1853093%2F%2Bsubscriptions&amp;data=02%7C01%7C%7C232514ce2e7c4df60db008d7aec39e8f%7Ca65543b9ae9349b580f00b85821adc50%7C1%7C0%7C637170027544671646&amp;sdata=uj%2BJHLJpuDYcGb30gKPN%2Fu1sVlojDCSfbDiXZiSk%2FLo%3D&amp;reserved=0
DISCLAIMER: This electronic message and all of its contents, contains information which is privileged, confidential or otherwise protected from disclosure. The information contained in this electronic mail transmission is intended for use only by the individual or entity to which it is addressed. If you are not the intended recipient or may have received this electronic mail transmission in error, please notify the sender immediately and delete / destroy all copies of this electronic mail transmission without disclosing, copying, distributing, forwarding, printing or retaining any part of it. Hughes Systique accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus.

Reviewed: https://review.opendev.org/707523
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=35d8ccb8a7adc9b3b2b46373ca9f89d08c94cd6a
Submitter: Zuul
Branch: r/stx.2.0

commit 35d8ccb8a7adc9b3b2b46373ca9f89d08c94cd6a
Author: Shuicheng Lin <email address hidden>
Date: Thu Feb 13 10:58:21 2020 +0800

    Enable keystone to send out event notification

    notification driver need be set for keystone, in order to send out
    notification. The driver value could be "messaging, messagingv2,
    routing, log, test, noop (multi valued)".
    This is in order to monitor admin password change in sysinv.

    Partial-Bug: 1853017
    Partial-Bug: 1853093

    Signed-off-by: Shuicheng Lin <email address hidden>
    (cherry picked from commit a36b4823b7dbacdc4a795e3e3978fbed6e952ced)

    Change-Id: Ia6661eaf294f97debca2cdb463455a23639892c1

Reviewed: https://review.opendev.org/707522
Committed: https://git.openstack.org/cgit/starlingx/upstream/commit/?id=dfe155136d3337a18bfbd19a7fb6f57614d455ba
Submitter: Zuul
Branch: r/stx.2.0

commit dfe155136d3337a18bfbd19a7fb6f57614d455ba
Author: Shuicheng Lin <email address hidden>
Date: Wed Dec 18 12:47:23 2019 +0800

    Update Keyring password info before sending out notification

    Need update password before send out notification. Otherwise, any
    process which monitors the "updated" notification will still get old
    password from Keyring.

    Partial-Bug: 1853017
    Partial-Bug: 1853093

    Change-Id: Id1c94fedca41abe96c7b38880bf325d4a25a95eb
    Signed-off-by: Shuicheng Lin <email address hidden>
    (cherry picked from commit d1294d7e679460661b42af64c87480b429a3366c)

Reviewed: https://review.opendev.org/707524
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=7e5e887eb38042a0679ec100ca5d4016c6efe2bc
Submitter: Zuul
Branch: r/stx.2.0

commit 7e5e887eb38042a0679ec100ca5d4016c6efe2bc
Author: Shuicheng Lin <email address hidden>
Date: Wed Dec 11 16:37:03 2019 +0800

    Audit local registry secret info when there is user update in keystone

    local registry uses admin's username&password for authentication.
    And admin's password could be changed by openstack client cmd. It will
    cause auth info in secrets obsolete, and lead to invalid authentication
    in keystone.
    To keep secrets info updated, keystone event notification is enabled.
    And event notification listener is added in sysinv. So when there is
    user password change, a user update event will be sent out by keystone.
    And sysinv will call function audit_local_registry_secrets to check
    whether kubernetes secret info need be updated or not.

    A periodic task is added also to ensure secrets are always synced, in
    case notification is missed or there is failure in handle notification.

    oslo_messaging is added to tox's requirements.txt to avoid tox failure.
    The version is based on global-requirements.txt from Openstack Train.

    Test:
    Pass deployment and secrets could be updated automatically with new auth
    info.
    Pass host-swact in duplex mode.

    We lack of info how LP1853093 was triggered by the user, but this patch
    can address the issue that local registry secrets are not updated
    accordingly after the password of "admin" is changed.
    And this fix will help technically.

    Closes-Bug: 1853017
    Closes-Bug: 1853093
    Depends-On: https://review.opendev.org/707522
    Depends-On: https://review.opendev.org/707523
    Change-Id: I959b65288e0834b989aa87e40506e41d0bba0d59
    Signed-off-by: Shuicheng Lin <email address hidden>
    (cherry picked from commit 8ab1e2d7c624f83d72efcbfcddcdffa567a26bad)

yong hu (yhu6) wrote :

3 patches were merged (cherry-picked) to stx.2.0 branch, so after we got another fix from https://bugs.launchpad.net/starlingx/+bug/1853017, we can close this issue.

Yan Chen (ychen2u) on 2020-03-18
Changed in starlingx:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers