← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #51912

[Bug 1588860] [NEW] keystone-manage bootstrap cannot recover admin account

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The keystone-manage bootstrap command is intended to supersede the
admin_token middleware. However, one of the common use cases for the
admin_token middleware was to provide a recovery mechanism for cloud
operators that had accidentally disabled themselves or lost their
password.

However, even after attempting to "re-bootstrap" an existing admin with
a known password (effectively performing a password reset), the admin is
still not able to authenticate. The same is true if the admin was
disabled.

This was originally reported in #openstack-ansible by odyssey4me:

[Fri 09:29] <odyssey4me> dolphm lbragstad is keystone-manage bootstrap meant to skip the bootstrap if there are already settings in place? what is the right way to fix up creds that are lost somehow for the keystone admin?
[Fri 09:30] <dolphm> odyssey4me: bootstrap should be idempotent, but i don't think it'll change an admin's password if you specify something different
[Fri 09:31] <odyssey4me> dolphm so the options are, I guess, to delete the admin account in the db or to use the auth_token middleware?

** Affects: keystone
     Importance: Undecided
     Assignee: Dolph Mathews (dolph)
         Status: In Progress

** Affects: keystone/mitaka
     Importance: Undecided
         Status: New


** Tags: mitaka-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1588860

Title:
  keystone-manage bootstrap cannot recover admin account

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Identity (keystone) mitaka series:
  New

Bug description:
  The keystone-manage bootstrap command is intended to supersede the
  admin_token middleware. However, one of the common use cases for the
  admin_token middleware was to provide a recovery mechanism for cloud
  operators that had accidentally disabled themselves or lost their
  password.

  However, even after attempting to "re-bootstrap" an existing admin
  with a known password (effectively performing a password reset), the
  admin is still not able to authenticate. The same is true if the admin
  was disabled.

  This was originally reported in #openstack-ansible by odyssey4me:

  [Fri 09:29] <odyssey4me> dolphm lbragstad is keystone-manage bootstrap meant to skip the bootstrap if there are already settings in place? what is the right way to fix up creds that are lost somehow for the keystone admin?
  [Fri 09:30] <dolphm> odyssey4me: bootstrap should be idempotent, but i don't think it'll change an admin's password if you specify something different
  [Fri 09:31] <odyssey4me> dolphm so the options are, I guess, to delete the admin account in the db or to use the auth_token middleware?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1588860/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next