StarlingX

Horizon service parameters deprecated and not being used by puppet manifests

Bug #1950490 reported by Fabrizio Perez
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Fabrizio Perez

Bug Description

Brief Description
-----------------
System parameters contains deprecated Horizon parameters and these aren't being used on the puppet manifests.

Severity
--------
Minor

Steps to Reproduce
------------------
Listing the deprecated service parameters:

$ system service-parameter-list | grep horizon
| 9c20ae9a-a140-4264-8135-b435bee9990f | horizon | auth | lockout_retries | 3 | None | None |
| 2be78b6e-9a10-414a-8ecf-c36d7c40340e | horizon | auth | lockout_seconds | 180 | None | None |

 /usr/share/puppet/modules/openstack/manifests/keystone.pp file have login protection parameters hard-coded:

keystone_config {
  'security_compliance/lockout_duration': value => 1800;
  'security_compliance/lockout_failure_attempts': value => 5;
{

Checking auto-generated keystone.conf file:

$ sudo cat /etc/keystone/keystone.conf | grep lockout
lockout_failure_attempts = 5
lockout_duration = 1800

The plan is to use login protection feature from Keystone, but the parameters need to be remapped to the correct service, not Horizon anymore.

Expected Behavior
------------------
    Parameters for login protection mapped under service keystone
    Parameters being used by puppet manifest to configure login protection feature

Actual Behavior
------------------
    Parameters for login protection mapped under service horizon
    Parameters not being used by puppet manifest to configure login protection feature (actually hard-coded on the manifest)

Reproducibility
------------------
100% Reproducible

System Configuration
------------------
Observed on StarlingX AIO-SX but may be present on every system configuration

Branch/Pull Time/Commit
------------------
http://mirror.starlingx.cengn.ca/mirror/starlingx/master/centos/latest_green_build/outputs/iso/

(latest green build dated 06/mar/2021)

Last Pass
------------------
Never passed

Timestamp/Logs
------------------
No logs, reproduced 24/may/2021, steps to reproduce show the evidences

Test Activity
------------------
Feature Testing - Login Protection feature on Keystone

Workaround
------------------
Change keystone.pp manifest to use horizon service parameters instead of the hard-coded values

Fabrizio Perez (fperezwindriver)
Changed in starlingx:
assignee: nobody → Fabrizio Perez (fperezwindriver)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/817464

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/817466

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.config
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/817466
Committed: https://opendev.org/starlingx/stx-puppet/commit/4cff16b0868128447d7927ef6a33acec2ecd0272
Submitter: "Zuul (22348)"
Branch: master

commit 4cff16b0868128447d7927ef6a33acec2ecd0272
Author: fperez <email address hidden>
Date: Wed Nov 10 14:59:28 2021 -0300

    Move params from horizon.pp to keystone.pp

    Move unused params (lockout_period and lockout_retries) from
    /usr/share/puppet/modules/openstack/manifests/horizon.pp to
    /usr/share/puppet/modules/openstack/manifests/keystone.pp and
    use them to control values generated in the keystone.conf.
    These params will be controlled by lockout_seconds and
    lockout_retries system parameters.

    Test Plan:

    PASS: modify parameters and see the list updated.
    PASS: modify parameters, restart services and see the
    keystone.conf file section updated.
    PASS: build and install iso to check default_parameters
    updated.
    PASS: create valid user and get blocked.

    Depends on: https://review.opendev.org/c/starlingx/config/+/817464

    Closes-bug: 1950490

    Signed-off-by: fperez <email address hidden>
    Change-Id: I7523035ed91cd20beb8c74b60dc8425086168fdd

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.6.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/817464
Committed: https://opendev.org/starlingx/config/commit/16170a0e7f234361d0731bd118fb120ea9485cd2
Submitter: "Zuul (22348)"
Branch: master

commit 16170a0e7f234361d0731bd118fb120ea9485cd2
Author: fperez <email address hidden>
Date: Wed Nov 10 14:18:08 2021 -0300

    Remap service params to control lockout config

    Previous 'lockout_seconds' and 'lockout_retries' horizon service
    parameters are not being used by puppet manifest. Now, they are being
    modified and remapped to keystone service in order to control the
    lockout configuration during logging.

    By this way, these service parameters are now grouped into
    'identity' service, under 'security_compliance' section.

    On the upgrade scenario, old horizon service parameters will be
    removed by 60-svc-param-upgrade.py script and the new ones will
    be added as default parameters.

    Test Plan:
    PASS: modify parameters and see the list updated.
    PASS: modify parameters, restart services and see the
    keystone.conf file section updated.
    PASS: build and install iso to check default_parameters
    updated.
    PASS: upgrade from 21.05
    PASS: create valid user and get blocked.

    Failure Path:
    PASS: assign invalid values (not integer).

    Closes-bug: 1950490

    Signed-off-by: fperez <email address hidden>
    Change-Id: Ic3d4d23c1c13e4233e5fc1e2348612bc1e851a89

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to docs (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/docs/+/820939

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to docs (master)

Reviewed: https://review.opendev.org/c/starlingx/docs/+/820939
Committed: https://opendev.org/starlingx/docs/commit/483a8196d67bf374dc15f7f4c1fa176c2d74e8be
Submitter: "Zuul (22348)"
Branch: master

commit 483a8196d67bf374dc15f7f4c1fa176c2d74e8be
Author: Elisamara Aoki Goncalves <email address hidden>
Date: Tue Dec 7 16:17:17 2021 -0300

    Service parameters deprecated and not being used by puppet manifests

    Applied formatting changes

    Closes-bug: 1950490

    Signed-off-by: Elisamara Aoki Goncalves <email address hidden>
    Change-Id: Iaae1f1d93cc2c3be993781b0d1250b4214148d16

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.