Ubuntu
horizon package

[SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is True

  1. Jammy (22.04)
  2. Bug #1728031
Bug #1728031 reported by lahari
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Undecided
Unassigned
Ubuntu Cloud Archive
New
Undecided
Unassigned
Antelope
New
Undecided
Unassigned
Bobcat
New
Undecided
Unassigned
Yoga
New
Undecided
Unassigned
Zed
Fix Released
Undecided
Unassigned
horizon (Ubuntu)
New
Undecided
Unassigned
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Mantic
New
Undecided
Unassigned

Bug Description

After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.

The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL

===============
SRU Description
===============

[Impact]

Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.

[Test case]

1. Setting up the env

1a. Deploy openstack env with horizon/openstack-dashboard

1b. Set up admin user in a domain not named "default", such as "admin_domain".

1c. Set up any other user, such as demo. Preferably in the admin_domain as well for convenience.

2. Reproduce the bug

2a. Login as admin and navigate to Identity > Users

2b. On the far right-hand side of the demo user row, click the options button and select Change Password

2c. Type in any new password, repeat it below, and type in the admin password. Click Save and you should see a message "The admin password is incorrect"

3. Install package that contains the fixed code

4. Confirm fix

5a. Repeat steps 2a-2c

5b. The password should now be saved successfully

[Regression Potential]

The code is a 1-line change that was tested in upstream CI (without the addition of bug-specific functional tests) from master(Caracal) to stable/zed without any issue captured. No side effects or risks are foreseen. Usage of fix [1] has also been tested manually without fix [2] and still worked.

[Other Info]

None.

[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574

See original description
Revision history for this message
Sudheer Kalla (sudheer-kalla) wrote :
Changed in horizon:
status: New → Confirmed
status: Confirmed → New
Gary W. Smith (gary-w-smith)
tags: added: keystone
summary: - unable to change user password
+ Unable to change user password when ENFORCE_PASSWORD_CHECK is True
Revision history for this message
Ying Zuo (yingzuo) wrote : Re: Unable to change user password when ENFORCE_PASSWORD_CHECK is True

I am not able to reproduce the issue with the master branch. What version of horizon and keystone are you using?

Revision history for this message
lahari (ananda-bhavaraju) wrote :

Hello Ying,

I'm using openstack pike and keystone V2

This happens only when I enable ENFORCE_PASSWORD_CHECK to True in local_settings.py

Change ENFORCE_PASSWORD_CHECK to True and restart apache2 service

Then when trying to change a user's password, I get an error saying Admin password is wrong.

Sudheer has attached the image. Thank you sudheer

The reason is IMO that api is trying to communicate via internalURL, which should be changed to adminURL.

Revision history for this message
Ying Zuo (yingzuo) wrote :

I enabled the ENFORCE_PASSWORD_CHECK and was able to change a user's password with the admin password successfully. I use keystone v3 though.

Revision history for this message
Sudheer Kalla (sudheer-kalla) wrote :

Hello Ying,

Iam able to reproduce the same issue using openstack pike with keystone V3.

Also i think it is not good to communicate via internalURL as the current implementation uses. I think it is better change the endpoint or else it will cause problems in future

Revision history for this message
Ying Zuo (yingzuo) wrote :

Hello Sudheer,

I tried with stable/pike branch and keystone v3 this time, and still can not reproduce this issue. Can you double check if the admin password you used is correct?

Revision history for this message
Sudheer Kalla (sudheer-kalla) wrote :

Hello Ying,

I have just tried it again with same mentioned configuration and iam able to reproduce it, Please find the attached screen shot just taken

Also in debugging session i have observed the following

(Pdb) api.keystone.user_verify_admin_password(request, admin_password)
False

The above api call is failing as a result the issue mentioned in this bug is coming.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I can reproduce the issue. I ran the latest horizon master branch f911d0dd406f60fa9df5891ff5760f2251fc96b0 by using runserver tox env (tox -e runserver). After adding ENFORCE_PASSWORD_CHECK = True to local_settings.py, I see the message "The admin password is incorrect.".

Note that I confirmed my admin password is correct by copying the password I typed in the "Change Password" form and then re-login horizon by using the copied password. I believe my admin password is the expected one.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

After adding an error log message to 'except' clause of user_verify_admin_password in openstack_dashboard.api.keystone, I got the following error message.

  ERROR openstack_dashboard.api.keystone user_verify_admin_password exception: Invalid service catalog service: identity (ServiceCatalogException)

The exception class is ServiceCatalogException and the message is "Invalid service catalog service: identity"

Interestingly enough, the error message is different from the bug description....

Revision history for this message
Gabriel Samfira (gabriel-samfira) wrote :

This feature cannot work with Keystone v3, as neither user_domain_id, nor user_domain_name are passed to the keystone client here:

https://opendev.org/openstack/horizon/src/branch/master/openstack_dashboard/api/keystone.py#L472

The following diff fixes this issue:

diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py
index 38931e52d..0fb5d0b24 100644
--- a/openstack_dashboard/api/keystone.py
+++ b/openstack_dashboard/api/keystone.py
@@ -472,6 +472,7 @@ def user_verify_admin_password(request, admin_password):
         client.Client(
             username=request.user.username,
             password=admin_password,
+ user_domain_name=request.user.user_domain_name,
             insecure=insecure,
             cacert=cacert,
             auth_url=endpoint

Revision history for this message
Xav Paice (xavpaice) wrote :

Noted a case of this with a base install on Focal and Ussuri. The user account was not 'admin' but one with admin rights, and worked fine from CLI.

Revision history for this message
Fairbanks Admin Naturalis (naturalis-support) wrote :

I can confirm this bug is still present in victoria and the proposed fix does work.

Revision history for this message
Oleksandr Kozachenko (okozachenko) wrote :

https://review.opendev.org/c/openstack/horizon/+/854005

OpenStack Infra (hudson-openstack)
Changed in horizon:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by "Oleksandr Kozachenko <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/854005
Reason: False negative

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/913250

Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote : Re: Unable to change user password when ENFORCE_PASSWORD_CHECK is True

Tested this in jammy-bobcat and the problem is still there for the scenario where the cloud admin is not named "admin" in the "default" domain"

The proposed diff from code #10 fully addresses the issue.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/913250
Committed: https://opendev.org/openstack/horizon/commit/da8e959298575127434e6e15aae5d1f0638a6e22
Submitter: "Zuul (22348)"
Branch: master

commit da8e959298575127434e6e15aae5d1f0638a6e22
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Mar 14 15:22:14 2024 -0300

    Fix error on changing user password by admin

    Previous change I8438bedaf7cead452fc499e484d23690b48894d9
    attempted to address bug LP#1728031 by improving upon
    patch https://review.opendev.org/854005 but missed the
    line that allows the keystone client to properly
    authenticate a cloud admin user that IS NOT in the
    default domain.

    Without this 1-line fix, a cloud admin that is not
    in the default domain will face an "incorrect admin
    password" error in the UI (despite the admin password
    being correct) and an authentication error in the logs,
    regardless of the endpoint type used (adminURL,
    internalURL or publicURL).

    Closes-bug: #1728031
    Change-Id: I018e7d9cb84fd6ce8635c9054e15052ded7e9368

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/horizon/+/913519

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/913519
Committed: https://opendev.org/openstack/horizon/commit/e9bf695641f4c07fadacf12599ae406c5ecd3ca6
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit e9bf695641f4c07fadacf12599ae406c5ecd3ca6
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Mar 14 15:22:14 2024 -0300

    Fix error on changing user password by admin

    Previous change I8438bedaf7cead452fc499e484d23690b48894d9
    attempted to address bug LP#1728031 by improving upon
    patch https://review.opendev.org/854005 but missed the
    line that allows the keystone client to properly
    authenticate a cloud admin user that IS NOT in the
    default domain.

    Without this 1-line fix, a cloud admin that is not
    in the default domain will face an "incorrect admin
    password" error in the UI (despite the admin password
    being correct) and an authentication error in the logs,
    regardless of the endpoint type used (adminURL,
    internalURL or publicURL).

    Closes-bug: #1728031
    Change-Id: I018e7d9cb84fd6ce8635c9054e15052ded7e9368
    (cherry picked from commit da8e959298575127434e6e15aae5d1f0638a6e22)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/horizon/+/914122

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/914122
Committed: https://opendev.org/openstack/horizon/commit/7244c3142ca219a586ada686016b1eb956f9e7c5
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 7244c3142ca219a586ada686016b1eb956f9e7c5
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Mar 14 15:22:14 2024 -0300

    Fix error on changing user password by admin

    Previous change I8438bedaf7cead452fc499e484d23690b48894d9
    attempted to address bug LP#1728031 by improving upon
    patch https://review.opendev.org/854005 but missed the
    line that allows the keystone client to properly
    authenticate a cloud admin user that IS NOT in the
    default domain.

    Without this 1-line fix, a cloud admin that is not
    in the default domain will face an "incorrect admin
    password" error in the UI (despite the admin password
    being correct) and an authentication error in the logs,
    regardless of the endpoint type used (adminURL,
    internalURL or publicURL).

    Closes-bug: #1728031
    Change-Id: I018e7d9cb84fd6ce8635c9054e15052ded7e9368
    (cherry picked from commit da8e959298575127434e6e15aae5d1f0638a6e22)
    (cherry picked from commit e9bf695641f4c07fadacf12599ae406c5ecd3ca6)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/914446

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/914446
Committed: https://opendev.org/openstack/horizon/commit/5de40f9b222608d35c5a0919117259e966217a86
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 5de40f9b222608d35c5a0919117259e966217a86
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Mar 14 15:22:14 2024 -0300

    Fix error on changing user password by admin

    Previous change I8438bedaf7cead452fc499e484d23690b48894d9
    attempted to address bug LP#1728031 by improving upon
    patch https://review.opendev.org/854005 but missed the
    line that allows the keystone client to properly
    authenticate a cloud admin user that IS NOT in the
    default domain.

    Without this 1-line fix, a cloud admin that is not
    in the default domain will face an "incorrect admin
    password" error in the UI (despite the admin password
    being correct) and an authentication error in the logs,
    regardless of the endpoint type used (adminURL,
    internalURL or publicURL).

    Closes-bug: #1728031
    Change-Id: I018e7d9cb84fd6ce8635c9054e15052ded7e9368
    (cherry picked from commit da8e959298575127434e6e15aae5d1f0638a6e22)
    (cherry picked from commit e9bf695641f4c07fadacf12599ae406c5ecd3ca6)
    (cherry picked from commit 7244c3142ca219a586ada686016b1eb956f9e7c5)

tags: added: in-stable-zed
Rodrigo Barbieri (rodrigo-barbieri2010)
summary: - Unable to change user password when ENFORCE_PASSWORD_CHECK is True
+ [SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is True
Rodrigo Barbieri (rodrigo-barbieri2010)
description: updated
tags: added: sts sts-sru-needed
Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote :
Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote :
Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote :
Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote :
Rodrigo Barbieri (rodrigo-barbieri2010)
no longer affects: ubuntu
no longer affects: Ubuntu Focal
no longer affects: Ubuntu Jammy
no longer affects: Ubuntu Mantic
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 23.0.2

This issue was fixed in the openstack/horizon 23.0.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.