Description
===========
Community Devstack does not open any security items by default.Yet when security compliance is true, run test case
tempest.api.identity.v3.test_users.IdentityV3UsersTest.test_password_history_check_self_service_api
and
tempest.api.identity.v3.test_users.IdentityV3UsersTest. test_user_update_own_password
will report error 400.This is because the two test cases has actually run successfully and changed the password, but after running, when executing the function addCleanup to clear the stored password, you need to change the password again, and it takes another day to allow to change the password after setting the change password in [security_compliance] of keystone configuration file. Therefore, an error is reported.
Configs
==============
keystone.conf
[security_compliance]
lockout_failure_attempts = 6
lockout_duration = 300
change_password_upon_first_use = True (needs to be False to Test, alexy)
password_expires_days = 90
password_regex = ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$
password_regex_description = Passwords must contain at least 1 letter, 1 digit, and be a minimum length of 7 characters.
unique_last_password_count = 2
minimum_password_age = 1
Logs
==============
tempest logs
==============================
Failed 1 tests - output below:
==============================
tempest.api.identity.v3.test_users.IdentityV3UsersTest.test_user_update_own_password[id-ad71bd23-12ad-426b-bb8b-195d2b635f27]
-----------------------------------------------------------------------------------------------------------------------------
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/root/tempest/tempest/api/identity/v3/test_users.py", line 67, in _restore_password
original_password=new_pass, password=random_pass)
File "/root/tempest/tempest/api/identity/v3/test_users.py", line 45, in _update_password
original_password=original_password)
File "/root/tempest/tempest/lib/services/identity/v3/users_client.py", line 66, in update_user_password
resp, _ = self.post('users/%s/password' % user_id, update_user)
File "/root/tempest/tempest/lib/common/rest_client.py", line 283, in post
return self.request('POST', url, extra_headers, headers, body, chunked)
File "/root/tempest/tempest/lib/common/rest_client.py", line 687, in request
self._error_checker(resp, resp_body)
File "/root/tempest/tempest/lib/common/rest_client.py", line 798, in _error_checker
raise exceptions.BadRequest(resp_body, resp=resp)
tempest.lib.exceptions.BadRequest: Bad request
Details: {'code': 400, 'message': 'You cannot change your password at this time due to the minimum password age. Once you change your password, it must be used for 1 day(s) before it can be changed. Please try again in 0 day(s) or contact your administrator to reset your password.', 'title': 'Bad Request'}
Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
2021-10-08 17:29:10,455 17369 DEBUG [tempest.api.identity.v3.test_users] ================creds: {'_initial': {'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P4#ZvTfyd_p6y%h', 'project_domain_id': 'default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}, 'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'tenant_name': 'tempest-IdentityV3UsersTest-597745757', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'tenant_id': 'bdda6f8381c14235ab103654f5038531', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P4#ZvTfyd_p6y%h', 'user_domain_id': 'default', 'project_domain_id': 'default', 'user_domain_name': 'Default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}
2021-10-08 17:29:10,455 17369 DEBUG [tempest.api.identity.v3.test_users] =================user_id: 454b43812d4849408639e0350a76f788
2021-10-08 17:29:10,456 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password
2021-10-08 17:29:11,537 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 204 POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password 1.081s
2021-10-08 17:29:11,538 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
Body: {"user": {"password": "P8~eKhg50N6P&MS", "original_password": "P4#ZvTfyd_p6y%h"}}
Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:10 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-b523ab4b-e44e-46d4-bf09-85116fdba26f', 'connection': 'close', 'content-type': 'text/plain; charset=UTF-8', 'status': '204', 'content-location': 'http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password'}
Body: b''
2021-10-08 17:29:12,539 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://172.20.151.172:5000/v3/auth/tokens
2021-10-08 17:29:12,888 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 201 POST http://172.20.151.172:5000/v3/auth/tokens 0.349s
2021-10-08 17:29:12,888 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}
Body: <omitted>
Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:12 GMT', 'server': 'Apache', 'x-subject-token': '<omitted>', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-20b0d499-919e-4b47-87f7-d680df315dbe', 'content-length': '368', 'connection': 'close', 'content-type': 'application/json', 'status': '201', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
Body: b'{"token": {"issued_at": "2021-10-08T09:29:12.000000Z", "audit_ids": ["0c_mvxF6S5-boRCYGMZYrg"], "methods": ["password"], "expires_at": "2021-10-08T15:29:12.000000Z", "user": {"password_expires_at": "2021-10-08T09:29:09.764059", "domain": {"id": "default", "name": "Default"}, "id": "454b43812d4849408639e0350a76f788", "name": "tempest-IdentityV3UsersTest-597745757"}}}'
2021-10-08 17:29:12,889 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://172.20.151.172:5000/v3/auth/tokens
2021-10-08 17:29:12,928 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 404 POST http://172.20.151.172:5000/v3/auth/tokens 0.040s
2021-10-08 17:29:12,929 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'applicatio
n/json'}
Body: <omitted>
Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:12 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-ff8f8848-3590-4fd4-97c6-f38d2c0b751c', 'content-length': '80', 'connection': 'close', 'content-type': 'application/json', 'status': '404', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
Body: b'{"error":{"code":404,"message":"Failed to validate token","title":"Not Found"}}\n'
2021-10-08 17:29:12,930 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:test_user_update_own_password): POST http://172.20.151.172:5000/v3/auth/tokens
2021-10-08 17:29:13,317 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:test_user_update_own_password): 401 POST http://172.20.151.172:5000/v3/auth/tokens 0.387s
2021-10-08 17:29:13,317 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}
Body: <omitted>
Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:12 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-15e862f2-037b-4d59-ad66-d71330a6a6f2', 'www-authenticate': 'Keystone uri="http://172.20.151.172:5000/v3"', 'content-length': '109', 'connection': 'close', 'content-type': 'application/json', 'status': '401', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
Body: b'{"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}\n'
2021-10-08 17:29:13,318 17369 DEBUG [tempest.api.identity.v3.test_users] ================creds: {'_initial': {'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P4#ZvTfyd_p6y%h', 'project_domain_id': 'default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}, 'username': 'tempest-IdentityV3UsersTest-597745757', 'user_id': '454b43812d4849408639e0350a76f788', 'tenant_name': 'tempest-IdentityV3UsersTest-597745757', 'project_name': 'tempest-IdentityV3UsersTest-597745757', 'tenant_id': 'bdda6f8381c14235ab103654f5038531', 'project_id': 'bdda6f8381c14235ab103654f5038531', 'password': 'P8~eKhg50N6P&MS', 'user_domain_id': 'default', 'project_domain_id': 'default', 'user_domain_name': 'Default', 'project_domain_name': 'Default', 'domain_id': 'default', 'domain_name': 'Default'}
2021-10-08 17:29:13,318 17369 DEBUG [tempest.api.identity.v3.test_users] =================user_id: 454b43812d4849408639e0350a76f788
2021-10-08 17:29:13,707 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:_run_cleanups): 201 POST http://172.20.151.172:5000/v3/auth/tokens 0.389s
2021-10-08 17:29:13,708 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json'}
Body: <omitted>
Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:13 GMT', 'server': 'Apache', 'x-subject-token': '<omitted>', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-4a48fafc-3bb2-4dfc-9512-1595f2187eda', 'content-length': '11078', 'connection': 'close', 'content-type': 'application/json', 'status': '201', 'content-location': 'http://172.20.151.172:5000/v3/auth/tokens'}
Body: b'{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "33c8d3ee746b4171801b43b2db6cf43d", "name": "courier_project_member"}, {"id": "14cf0dab842d454682837d7ec2b40b39", "name": "heat_project_member"}, {"id": "4bc98f9a68ff449483da0a4086859c46", "name": "project_member"}, {"id": "d53afde73b9e49c083aa25866161354c", "name": "octavia_project_member"}, {"id": "aa1e36cc82cd4f0a84eaf0efa76af2d3", "name": "nova_project_member"}, {"id": "aaa5124a35fb4ec19613a0b73ffa2870", "name": "keystone_project_member"}, {"id": "077bb4595181495b91eec05b4d4ff733", "name": "glance_project_member"}, {"id": "421e4b4f3f51492da106ea75da50ac63",
"name": "panko_project_member"}, {"id": "1788a6425e684f91af94cdf03095b9d4", "name": "neutron_project_member"}, {"id": "3edbe37078ec4946a02639d582c78b42", "name": "cinder_project_member"}], "expires_at": "2021-10-08T15:29:13.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "bdda6f8381c14235ab103654f5038531", "name": "tempest-IdentityV3UsersTest-597745757"}, "catalog": [{"endpoints": [{"url": "http://192.168.10.176:9101", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "23d1b9153e7941c588d50bce6a997d71"}, {"url": "http://192.168.10.176:9101", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "f18dfa1df1d0490684f60c468b3357c7"}, {"url": "http://192.168.10.176:9101", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "fd01de692cad46bf94e22d85b4e91b47"}], "type": "metric", "id": "01e560e644f34586bfa134749cc11a32", "name": "prometheus"}, {"endpoints": [{"url": "http://192.168.10.176:9093", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "2e63635087a64b69ae5539954840d176"}, {"url": "http://192.168.10.176:9093", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "3d2cf420689d4bb393faec9c2159648c"}, {"url": "http://192.168.10.176:9093", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "70919943b5e748ed9fafa963b8cc4433"}], "type": "alarming", "id": "16b4ac122ad64a5993490f468fe46dab", "name": "alertmanager"}, {"endpoints": [{"url": "http://192.168.10.176:5000", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "24281193a2374dc39c2685c4e20856dd"}, {"url": "http://192.168.10.176:35357", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "2f98348fa47a431c9df03e2bd095acbe"}, {"url": "http://192.168.10.176:5000", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "596c911f2916471fa74b916ebac4510c"}], "type": "identity", "id": "197fc642f13541509dabace506316af6", "name": "keystone"}, {"endpoints": [{"url": "http://192.168.10.176:8776/v3/bdda6f8381c14235ab103654f5038531", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "052899db55d1443b8120e42b934dfd3b"}, {"url": "http://192.168.10.176:8776/v3/bdda6f8381c14235ab103654f5038531", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "cb117b205c12454a8e909becf15be7de"}, {"url": "http://192.168.10.176:8776/v3/bdda6f8381c14235ab103654f5038531", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "e4818c0e80994bbf966342b383949079"}], "type": "volumev3", "id": "1e68e8e4229340b49b5146cd8e7ea759", "name": "cinderv3"}, {"endpoints": [{"url": "http://192.168.10.176:6780", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "5779095255d84b4cb67d2683dc168cbd"}, {"url": "http://192.168.10.176:6780", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "5e262d3137ac4f2c930816cc29e5cbd6"}, {"url": "http://192.168.10.176:6780", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "b251a338d0134e6db6fff4bc530b117b"}], "type": "s3_object_store", "id": "2dbe077c2a184b529867e27c09b1175d", "name": "s3"}, {"endpoints": [{"url": "http://192.168.10.176:18084", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "2c63aeca32684
2021-10-08 17:29:13,708 17369 DEBUG [tempest.lib.common.rest_client] Starting Request (IdentityV3UsersTest:_run_cleanups): POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password
2021-10-08 17:29:14,121 17369 INFO [tempest.lib.common.rest_client] Request (IdentityV3UsersTest:_run_cleanups): 400 POST http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password 0.413s
2021-10-08 17:29:14,122 17369 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
Body: {"user": {"password"
: "X9^088ka8kcorqh", "original_password": "P8~eKhg50N6P&MS"}}
Response - Headers: {'date': 'Fri, 08 Oct 2021 09:29:13 GMT', 'server': 'Apache', 'vary': 'X-Auth-Token', 'x-openstack-request-id': 'req-ba04cc92-96cd-4db5-a87a-2ac1f124f72d', 'content-length': '304', 'connection': 'close', 'content-type': 'application/json', 'status': '400', 'content-location': 'http://192.168.10.176:5000/v3/users/454b43812d4849408639e0350a76f788/password'}
Body: b'{"error":{"code":400,"message":"You cannot change your password at this time due to the minimum password age. Once you change your password, it must be used for 1 day(s) before it can be changed. Please try again in 0 day(s) or contact your administrator to reset your password.","title":"Bad Request"}}\n'
======
Totals
======
Ran: 1 tests in 3.6686 sec.
- Passed: 0
- Skipped: 0
- Expected Fail: 0
- Unexpected Success: 0
- Failed: 1
Sum of execute time for each test: 3.6686 sec.
==============
Worker Balance
==============
- Worker 0 (1 tests) => 0:00:03.668596
So these 2 tests are failing when keystone has set minimum_ password_ age = 1
https:/ /opendev. org/openstack/ tempest/ src/commit/ 8cd09500bea38bf d9478814be95fdd f3df56fbff/ tempest/ api/identity/ v3/test_ users.py# L80-L143
minimum_ password_ age defines minimum number of days a password must be in use before it's allowed to be changed.
There was an attempt to solve this by https:/ /review. opendev. org/c/openstack /tempest/ +/806671 however, the patch affects the client's logic, which could cause more issues later - f.e. it could affect consumers (tempest plugins) which use the client.
The right way would be to edit the tests so that they create a user with the options set in the patch above (806671) - that way only the test cases are affected by the change, not the client.