openstack app's admin account gets locked after change password

The issue here is that there are 2 keystone admin users: one for the host keystone instance and the second for the containerized openstack keystone. However, platform services (ex: nfv-vim) do not distinguish between the two. This is a design gap since the introduction of containerized openstack. More investigation is required to determine the best option forward.

Hi,
There are two admin, 1 for host platform services, 1 for containerized openstack.
Per your bash history, you executed the openstack cmd in OS_CLOUD environment, it means you changed "containerized openstack"'s admin password. "keyring get CGCS admin" is for host's admin password, that is why it is un-changed.
You could run "openstack user list" in both environment. And you will find both "admin" account with different GUID.

Thank you for the clarification, it works as you said

isn't it still a problem though if changing the password like i did gets the account locked?

Yes it is a problem. But as explained by Shuicheng, it's an issue on containerized openstack admin password change. I think you can open a Launchpad for it.

It is an issue. The issue is that openstack admin password is changed in keystone, but other openstack services still have the old password in secrets, and cause the lock issue.
Here is the service list which have the admin password:
[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get secrets -n openstack | grep keystone-admin
cinder-keystone-admin Opaque 9 88m
fm-keystone-admin Opaque 9 73m
glance-keystone-admin Opaque 9 90m
heat-keystone-admin Opaque 9 74m
keystone-keystone-admin Opaque 9 92m
neutron-keystone-admin Opaque 9 86m
nova-keystone-admin Opaque 9 86m
placement-keystone-admin Opaque 9 86m

Try to open the secret, we could get password in "OS_PASSWORD:". And use base64 to decode it.

We may need to monitor the password change in keystone, and update the secrets. The keystone is running in container, so it is not easy to do it.
The quick WA for it may disable the lock operation. Keystone just report error in log, but not force the lock operation. To do it, we need remove below setting in keystone container's /etc/keystone/keystone.conf:
"
[security_compliance]
lockout_duration = 1800
lockout_failure_attempts = 5
"

Don't have a good solution for it yet. Any suggestion is welcome.

This is what we've done for platform keystone admin user:

https://review.opendev.org/#/c/728492/
https://review.opendev.org/#/c/730834/

We don't want to exempt all users from fail auth lockout. We only exempt admin. This is done by setting a user option by a PATCH call.

Fix proposed to branch: master
Review: https://review.opendev.org/743503

Root cause was clear, but the scale of changes might be too big for stx.4.0.
So, we move this issue to stx.5.0.

Fix proposed to branch: master
Review: https://review.opendev.org/744823

Fix proposed to branch: master
Review: https://review.opendev.org/747143

Change abandoned by Lin Shuicheng (<email address hidden>) on branch: master
Review: https://review.opendev.org/744823

Change abandoned by Lin Shuicheng (<email address hidden>) on branch: master
Review: https://review.opendev.org/743503

Fix proposed to branch: master
Review: https://review.opendev.org/753971

Fix proposed to branch: master
Review: https://review.opendev.org/754578

Fix proposed to branch: master
Review: https://review.opendev.org/754580

Change abandoned by Lin Shuicheng (<email address hidden>) on branch: master
Review: https://review.opendev.org/754578

Change abandoned by Lin Shuicheng (<email address hidden>) on branch: master
Review: https://review.opendev.org/754580

Fix proposed to branch: master
Review: https://review.opendev.org/763314

Issue has been fixed with below CL:
https://review.opendev.org/c/starlingx/openstack-armada-app/+/763314
https://review.opendev.org/c/starlingx/openstack-armada-app/+/747143
https://review.opendev.org/c/starlingx/config/+/753971