Comment 6 for bug 1887755

Revision history for this message
Lin Shuicheng (shuicheng) wrote : Re: keyring password not updated and account gets locked

It is an issue. The issue is that openstack admin password is changed in keystone, but other openstack services still have the old password in secrets, and cause the lock issue.
Here is the service list which have the admin password:
[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get secrets -n openstack | grep keystone-admin
cinder-keystone-admin Opaque 9 88m
fm-keystone-admin Opaque 9 73m
glance-keystone-admin Opaque 9 90m
heat-keystone-admin Opaque 9 74m
keystone-keystone-admin Opaque 9 92m
neutron-keystone-admin Opaque 9 86m
nova-keystone-admin Opaque 9 86m
placement-keystone-admin Opaque 9 86m

Try to open the secret, we could get password in "OS_PASSWORD:". And use base64 to decode it.

We may need to monitor the password change in keystone, and update the secrets. The keystone is running in container, so it is not easy to do it.
The quick WA for it may disable the lock operation. Keystone just report error in log, but not force the lock operation. To do it, we need remove below setting in keystone container's /etc/keystone/keystone.conf:
"
[security_compliance]
lockout_duration = 1800
lockout_failure_attempts = 5
"

Don't have a good solution for it yet. Any suggestion is welcome.