StarlingX

Lockout of keystone admin user is not disabled on upgrades

Bug #1887470 reported by Ghada Khalil
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
This is a follow-up on https://bugs.launchpad.net/starlingx/+bug/1877179
If an upgrade is attempted from an n build (which doesn't have the above fix i.e. doesn't prevent the lockout of the keystone admin user) to an n+1 build (which has the fix), the admin user can still be locked out after the upgrade. This is inconsistent with doing a fresh install of the n+1 build.

The code to disable the user lockout was not included as a step in the upgrade migration.

Severity
--------
Minor - LP is opened for completeness to address the inconsistency in behavior

Steps to Reproduce
------------------
See the description. This has to be simulated by attempting a non-null upgrade.

Expected Behavior
------------------
The keystone admin user is setup the same way after an upgrade as it is after a fresh install

Actual Behavior
----------------
The keystone admin user can be locked out after an upgrade to a build which has the original fix

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
Any load since 2020-05-28

Last Pass
---------
Never

Timestamp/Logs
--------------
NA

Test Activity
-------------
Upgrades Developer Testing

Workaround
----------
TBD - this can manually be updated after the upgrade. Exact procedure is TBD.

See original description
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
tags: added: stx.5.0 stx.config stx.update
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
Ghada Khalil (gkhalil)
description: updated
Changed in starlingx:
importance: Medium → Low
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741662

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Changing to stx.4.0. As per the review comments, this code runs on upgrades to stx.4.0

tags: added: stx.4.0
removed: stx.5.0
Changed in starlingx:
importance: Low → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/741662
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=686c6043e96c3a91ca6575efa5a245a22c3e5854
Submitter: Zuul
Branch: master

commit 686c6043e96c3a91ca6575efa5a245a22c3e5854
Author: Andy Ning <email address hidden>
Date: Fri Jul 17 11:29:57 2020 -0400

    Exempt admin from lockout during system upgrade

    The update added a script that will be invoked at the "activate" stage of
    system upgrade. The script makes a keystone user PATCH API call to set
    "ignore_lockout_failure_attempts" option for admin user so that it is exempted
    from failed auth lockout.

    Change-Id: I97138f78c760f8bebb137d68a473cc125f452f14
    Closes-Bug: 1887470
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (r/stx.4.0)

Fix proposed to branch: r/stx.4.0
Review: https://review.opendev.org/741981

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (r/stx.4.0)

Reviewed: https://review.opendev.org/741981
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=a5074f398afcdf973ea1d28ac9cc29244ede7391
Submitter: Zuul
Branch: r/stx.4.0

commit a5074f398afcdf973ea1d28ac9cc29244ede7391
Author: Andy Ning <email address hidden>
Date: Fri Jul 17 11:29:57 2020 -0400

    Exempt admin from lockout during system upgrade

    The update added a script that will be invoked at the "activate" stage of
    system upgrade. The script makes a keystone user PATCH API call to set
    "ignore_lockout_failure_attempts" option for admin user so that it is exempted
    from failed auth lockout.

    Change-Id: I97138f78c760f8bebb137d68a473cc125f452f14
    Closes-Bug: 1887470
    Signed-off-by: Andy Ning <email address hidden>
    (cherry picked from commit 686c6043e96c3a91ca6575efa5a245a22c3e5854)

Ghada Khalil (gkhalil)
tags: added: in-r-stx40
Bart Wensley (bartwensley)
Changed in starlingx:
status: Fix Released → In Progress
Revision history for this message
John Kung (john-kung) wrote :

Issue noted during upgrade on the upgrade-activate step:

While running 20-exempt-admin-from-lockout.sh introduced in initial update for this LP:
 https://git.openstack.org/cgit/starlingx/config/commit/?id=a5074f398afcdf973ea1d28ac9cc29244ede7391

2020-07-21T17:25:54.000 controller-0 root: info 20-exempt-admin-from-lockout.sh: Setting ignore_lockout_failure_attempts option for admin to exempt it from fail auth lockout.
2020-07-21T17:25:56.000 controller-0 root: info 20-exempt-admin-from-lockout.sh: Set ignore_lockout_failure_attempts option for user admin failed.

As per investigation by Andy, this is due to the handling of IPv6 addresses within this lab. An incremental update to handle IPv6 addresses is required for the script.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/742265

Ghada Khalil (gkhalil)
tags: removed: in-r-stx40
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/742265
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=1102864c819ba96df69cfb3e1a6142aef0974506
Submitter: Zuul
Branch: master

commit 1102864c819ba96df69cfb3e1a6142aef0974506
Author: Andy Ning <email address hidden>
Date: Tue Jul 21 14:47:48 2020 -0400

    Fix 20-exempt-admin-from-lockout.sh for IPv6

    For IPv6 system, the script will fail with return status 1.
    This is caused by curl fails to parse request url with IPv6 IP
    address in "[ ]". The error produced by curl will be:

    curl: (3) [globbing] error: bad range specification after pos 9

    The fix is to add a "-g" option to the curl command.

    Change-Id: I7f2c9c1eca81e845f2d443f3b8962ab206f1328d
    Closes-Bug: 1887470
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (r/stx.4.0)

Fix proposed to branch: r/stx.4.0
Review: https://review.opendev.org/742280

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (r/stx.4.0)

Reviewed: https://review.opendev.org/742280
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=023aca0a04ed4fdabfb5713143c1b80ad8a9dafa
Submitter: Zuul
Branch: r/stx.4.0

commit 023aca0a04ed4fdabfb5713143c1b80ad8a9dafa
Author: Andy Ning <email address hidden>
Date: Tue Jul 21 14:47:48 2020 -0400

    Fix 20-exempt-admin-from-lockout.sh for IPv6

    For IPv6 system, the script will fail with return status 1.
    This is caused by curl fails to parse request url with IPv6 IP
    address in "[ ]". The error produced by curl will be:

    curl: (3) [globbing] error: bad range specification after pos 9

    The fix is to add a "-g" option to the curl command.

    Change-Id: I7f2c9c1eca81e845f2d443f3b8962ab206f1328d
    Closes-Bug: 1887470
    Signed-off-by: Andy Ning <email address hidden>
    (cherry picked from commit 1102864c819ba96df69cfb3e1a6142aef0974506)

Ghada Khalil (gkhalil)
tags: added: in-r-stx40
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.