tempest

tempest identity api error:You cannot change your password at this time due to the minimum password age.

Bug #1946459 reported by 陈柳飞洋
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Fix Released
Medium
Katarina Strenkova

Bug Description

Description
===========

Community Devstack does not open any security items by default.Yet when security compliance is true, run test case
tempest.api.identity.v3.test_users.IdentityV3UsersTest.test_password_history_check_self_service_api
and
tempest.api.identity.v3.test_users.IdentityV3UsersTest. test_user_update_own_password
will report error 400.This is because the two test cases has actually run successfully and changed the password, but after running, when executing the function addCleanup to clear the stored password, you need to change the password again, and it takes another day to allow to change the password after setting the change password in [security_compliance] of keystone configuration file. Therefore, an error is reported.

Configs
==============

keystone.conf

[security_compliance]
lockout_failure_attempts = 6
lockout_duration = 300
change_password_upon_first_use = True (needs to be False to Test, alexy)
password_expires_days = 90
password_regex = ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$
password_regex_description = Passwords must contain at least 1 letter, 1 digit, and be a minimum length of 7 characters.
unique_last_password_count = 2
minimum_password_age = 1

Logs
==============

tempest logs

==============================
Failed 1 tests - output below:
==============================

tempest.api.identity.v3.test_users.IdentityV3UsersTest.test_user_update_own_password[id-ad71bd23-12ad-426b-bb8b-195d2b635f27]
-----------------------------------------------------------------------------------------------------------------------------

Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):

      File "/root/tempest/tempest/api/identity/v3/test_users.py", line 67, in _restore_password
    original_password=new_pass, password=random_pass)

      File "/root/tempest/tempest/api/identity/v3/test_users.py", line 45, in _update_password
    original_password=original_password)

      File "/root/tempest/tempest/lib/services/identity/v3/users_client.py", line 66, in update_user_password
    resp, _ = self.post('users/%s/password' % user_id, update_user)

      File "/root/tempest/tempest/lib/common/rest_client.py", line 283, in post
    return self.request('POST', url, extra_headers, headers, body, chunked)

      File "/root/tempest/tempest/lib/common/rest_client.py", line 687, in request
    self._error_checker(resp, resp_body)

      File "/root/tempest/tempest/lib/common/rest_client.py", line 798, in _error_checker
    raise exceptions.BadRequest(resp_body, resp=resp)

    tempest.lib.exceptions.BadRequest: Bad request
Details: {'code': 400, 'message': 'You cannot change your password at this time due to the minimum password age. Once you change your password, it must be used for 1 day(s) before it can be changed. Please try again in 0 day(s) or contact your administrator to reset your password.', 'title': 'Bad Request'}

Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
    2021-10-08 17:29:10,455 17369 DEBUG [tempest.api.identity.v3.test_users] ================creds: {'_initial': {'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P4#ZvTfyd_p6y%h', 'project_domain_id': 'default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}, 'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'tenant_name': 'tempest-IdentityV3UsersTest-597745757', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'tenant_id': 'bdda6f8381c14235ab103654f5038531', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P4#ZvTfyd_p6y%h', 'user_domain_id': 'default', 'project_domain_id': 'default', 'user_domain_name': 'Default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}
2021-10-08 17:29:10,455 17369 DEBUG [tempest.api.identity.v3.test_users] =================user_id: 454b43812d4849408639e0350a76f788
2021-10-08 17:29:10,456 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password
2021-10-08 17:29:11,537 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 204 POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password 1.081s
2021-10-08 17:29:11,538 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"user": {"password": "P8~eKhg50N6P&MS", "original_password": "P4#ZvTfyd_p6y%h"}}
    Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:10 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-b523ab4b-e44e-46d4-bf09-85116fdba26f', 'connection': 'close', 'content-type': 'text/plain; charset=UTF-8', 'status': '204', 'content-location': 'http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password'}
        Body: b''
2021-10-08 17:29:12,539 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://172.20.151.172:5000/v3/auth/tokens
2021-10-08 17:29:12,888 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 201 POST http://172.20.151.172:5000/v3/auth/tokens 0.349s
2021-10-08 17:29:12,888 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}
        Body: <omitted>
    Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:12 GMT', 'server': 'Apache', 'x-subject-token': '<omitted>', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-20b0d499-919e-4b47-87f7-d680df315dbe', 'content-length': '368', 'connection': 'close', 'content-type': 'application/json', 'status': '201', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
        Body: b'{"token": {"issued_at": "2021-10-08T09:29:12.000000Z", "audit_ids": ["0c_mvxF6S5-boRCYGMZYrg"], "methods": ["password"], "expires_at": "2021-10-08T15:29:12.000000Z", "user": {"password_expires_at": "2021-10-08T09:29:09.764059", "domain": {"id": "default", "name": "Default"}, "id": "454b43812d4849408639e0350a76f788", "name": "tempest-IdentityV3UsersTest-597745757"}}}'
2021-10-08 17:29:12,889 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://172.20.151.172:5000/v3/auth/tokens
2021-10-08 17:29:12,928 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 404 POST http://172.20.151.172:5000/v3/auth/tokens 0.040s
2021-10-08 17:29:12,929 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'applicatio
    n/json'}
        Body: <omitted>
    Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:12 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-ff8f8848-3590-4fd4-97c6-f38d2c0b751c', 'content-length': '80', 'connection': 'close', 'content-type': 'application/json', 'status': '404', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
        Body: b'{"error":{"code":404,"message":"Failed to validate token","title":"Not Found"}}\n'
2021-10-08 17:29:12,930 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://172.20.151.172:5000/v3/auth/tokens
2021-10-08 17:29:13,317 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 401 POST http://172.20.151.172:5000/v3/auth/tokens 0.387s
2021-10-08 17:29:13,317 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}
        Body: <omitted>
    Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:12 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-15e862f2-037b-4d59-ad66-d71330a6a6f2', 'www-authenticate': 'Keystone uri="http://172.20.151.172:5000/v3"', 'content-length': '109', 'connection': 'close', 'content-type': 'application/json', 'status': '401', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
        Body: b'{"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}\n'
2021-10-08 17:29:13,318 17369 DEBUG [tempest.api.identity.v3.test_users] ================creds: {'_initial': {'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P4#ZvTfyd_p6y%h', 'project_domain_id': 'default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}, 'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'tenant_name': 'tempest-IdentityV3UsersTest-597745757', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'tenant_id': 'bdda6f8381c14235ab103654f5038531', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P8~eKhg50N6P&MS', 'user_domain_id': 'default', 'project_domain_id': 'default', 'user_domain_name': 'Default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}
2021-10-08 17:29:13,318 17369 DEBUG [tempest.api.identity.v3.test_users] =================user_id: 454b43812d4849408639e0350a76f788
2021-10-08 17:29:13,707 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:_run_cleanups): 201 POST http://172.20.151.172:5000/v3/auth/tokens 0.389s
2021-10-08 17:29:13,708 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}
        Body: <omitted>
    Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:13 GMT', 'server': 'Apache', 'x-subject-token': '<omitted>', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-4a48fafc-3bb2-4dfc-9512-1595f2187eda', 'content-length': '11078', 'connection': 'close', 'content-type': 'application/json', 'status': '201', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
        Body: b'{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "33c8d3ee746b4171801b43b2db6cf43d", "name": "courier_project_member"}, {"id": "14cf0dab842d454682837d7ec2b40b39", "name": "heat_project_member"}, {"id": "4bc98f9a68ff449483da0a4086859c46", "name": "project_member"}, {"id": "d53afde73b9e49c083aa25866161354c", "name": "octavia_project_member"}, {"id": "aa1e36cc82cd4f0a84eaf0efa76af2d3", "name": "nova_project_member"}, {"id": "aaa5124a35fb4ec19613a0b73ffa2870", "name": "keystone_project_member"}, {"id": "077bb4595181495b91eec05b4d4ff733", "name": "glance_project_member"}, {"id": "421e4b4f3f51492da106ea75da50ac63",
     "name": "panko_project_member"}, {"id": "1788a6425e684f91af94cdf03095b9d4", "name": "neutron_project_member"}, {"id": "3edbe37078ec4946a02639d582c78b42", "name": "cinder_project_member"}], "expires_at": "2021-10-08T15:29:13.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "bdda6f8381c14235ab103654f5038531", "name": "tempest-IdentityV3UsersTest-597745757"}, "catalog": [{"endpoints": [{"url": "http://192.168.10.176:9101", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "23d1b9153e7941c588d50bce6a997d71"}, {"url": "http://192.168.10.176:9101", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "f18dfa1df1d0490684f60c468b3357c7"}, {"url": "http://192.168.10.176:9101", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "fd01de692cad46bf94e22d85b4e91b47"}], "type": "metric", "id": "01e560e644f34586bfa134749cc11a32", "name": "prometheus"}, {"endpoints": [{"url": "http://192.168.10.176:9093", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "2e63635087a64b69ae5539954840d176"}, {"url": "http://192.168.10.176:9093", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "3d2cf420689d4bb393faec9c2159648c"}, {"url": "http://192.168.10.176:9093", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "70919943b5e748ed9fafa963b8cc4433"}], "type": "alarming", "id": "16b4ac122ad64a5993490f468fe46dab", "name": "alertmanager"}, {"endpoints": [{"url": "http://192.168.10.176:5000", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "24281193a2374dc39c2685c4e20856dd"}, {"url": "http://192.168.10.176:35357", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "2f98348fa47a431c9df03e2bd095acbe"}, {"url": "http://192.168.10.176:5000", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "596c911f2916471fa74b916ebac4510c"}], "type": "identity", "id": "197fc642f13541509dabace506316af6", "name": "keystone"}, {"endpoints": [{"url": "http://192.168.10.176:8776/v3/bdda6f8381c14235ab103654f5038531", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "052899db55d1443b8120e42b934dfd3b"}, {"url": "http://192.168.10.176:8776/v3/bdda6f8381c14235ab103654f5038531", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "cb117b205c12454a8e909becf15be7de"}, {"url": "http://192.168.10.176:8776/v3/bdda6f8381c14235ab103654f5038531", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "e4818c0e80994bbf966342b383949079"}], "type": "volumev3", "id": "1e68e8e4229340b49b5146cd8e7ea759", "name": "cinderv3"}, {"endpoints": [{"url": "http://192.168.10.176:6780", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "5779095255d84b4cb67d2683dc168cbd"}, {"url": "http://192.168.10.176:6780", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "5e262d3137ac4f2c930816cc29e5cbd6"}, {"url": "http://192.168.10.176:6780", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "b251a338d0134e6db6fff4bc530b117b"}], "type": "s3_object_store", "id": "2dbe077c2a184b529867e27c09b1175d", "name": "s3"}, {"endpoints": [{"url": "http://192.168.10.176:18084", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "2c63aeca32684
2021-10-08 17:29:13,708 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:_run_cleanups): POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password
2021-10-08 17:29:14,121 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:_run_cleanups): 400 POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password 0.413s
2021-10-08 17:29:14,122 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"user": {"password"
    : "X9^088ka8kcorqh", "original_password": "P8~eKhg50N6P&MS"}}
    Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:13 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-ba04cc92-96cd-4db5-a87a-2ac1f124f72d', 'content-length': '304', 'connection': 'close', 'content-type': 'application/json', 'status': '400', 'content-location': 'http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password'}
        Body: b'{"error":{"code":400,"message":"You cannot change your password at this time due to the minimum password age. Once you change your password, it must be used for 1 day(s) before it can be changed. Please try again in 0 day(s) or contact your administrator to reset your password.","title":"Bad Request"}}\n'

======
Totals
======
Ran: 1 tests in 3.6686 sec.
 - Passed: 0
 - Skipped: 0
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 1
Sum of execute time for each test: 3.6686 sec.

==============
Worker Balance
==============
 - Worker 0 (1 tests) => 0:00:03.668596

See original description
Revision history for this message
Martin Kopec (mkopec) wrote :

So these 2 tests are failing when keystone has set minimum_password_age = 1

https://opendev.org/openstack/tempest/src/commit/8cd09500bea38bfd9478814be95fddf3df56fbff/tempest/api/identity/v3/test_users.py#L80-L143

minimum_password_age defines minimum number of days a password must be in use before it's allowed to be changed.

There was an attempt to solve this by https://review.opendev.org/c/openstack/tempest/+/806671 however, the patch affects the client's logic, which could cause more issues later - f.e. it could affect consumers (tempest plugins) which use the client.

The right way would be to edit the tests so that they create a user with the options set in the patch above (806671) - that way only the test cases are affected by the change, not the client.

Changed in tempest:
importance: Undecided → Medium
status: New → Confirmed
Alex Yefimov (ayefimov)
Changed in tempest:
assignee: nobody → Alex Yefimov (ayefimov)
Alex Yefimov (ayefimov)
description: updated
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

we should not fail the test in this case instead we should skip the 2nd password update attempt so that we test user can update own password that's it. Added comment in minimum_password_age

Katarina Strenkova (kstrenko)
Changed in tempest:
assignee: Alex Yefimov (ayefimov) → Katarina Strenkova (kstrenko)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tempest (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tempest/+/890653

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tempest (master)

Reviewed: https://review.opendev.org/c/openstack/tempest/+/890653
Committed: https://opendev.org/openstack/tempest/commit/702f0befcea128ac2bc95bad787d592056f18ad4
Submitter: "Zuul (22348)"
Branch: master

commit 702f0befcea128ac2bc95bad787d592056f18ad4
Author: Katarina Strenkova <email address hidden>
Date: Mon Aug 7 12:53:28 2023 +0000

    Skip failing tests affected by minimum password age

    Some identity api tests are failing, when keystone parameter
    minimum_password_age is set to value greater than 0. It causes inability
    to update user's password more than once per test suite. As in this test
    suite it is required total of four times, this patch suggests skipping
    these tests to avoid complicated workaround.

    This bug has been discussed in several patches [1][2].

    Additionaly, config option for user_minimum_password_age is added into
    tempest/config.py, to allow users to work with this keystone parameter.

    [1] https://review.opendev.org/c/openstack/tempest/+/806671
    [2] https://review.opendev.org/c/openstack/tempest/+/838726

    Related-Bug: #1946459
    Change-Id: I418e4001b0aa27f10a78f3490cc233293c30c274

Revision history for this message
Martin Kopec (mkopec) wrote :

The test is meant to be run only if the environment allows users to update passwords without minimum password age limit. If such limit is set in the environment, the test will be skipped as the env doesn't allow the test to change the password.

Changed in tempest:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.