yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1588860] Re: keystone-manage bootstrap cannot recover admin account

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1588860@xxxxxxxxxxxxxxxxxx>
Date: Fri, 03 Jun 2016 19:32:01 -0000
Reply-to: Bug 1588860 <1588860@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/325352
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d6b016dd91c743a2f454a3b4f9d055510c2215ae
Submitter: Jenkins
Branch:    master

commit d6b016dd91c743a2f454a3b4f9d055510c2215ae
Author: Dolph Mathews <dolph.mathews@xxxxxxxxx>
Date:   Fri Jun 3 09:55:16 2016 -0500

    Bootstrap: enable and reset password for existing users
    
    One of the common use cases for the admin_token middleware was to
    provide a recovery mechanism for cloud operators that had accidentally
    disabled themselves or lost their password.
    
    Instead of using bootstrap to create a second admin just to recover the
    first, this change allows bootstrap to reset the user's credentials and
    ensure that the account is enabled.
    
    Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df
    Closes-Bug: 1588860


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1588860

Title:
  keystone-manage bootstrap cannot recover admin account

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  In Progress

Bug description:
  The keystone-manage bootstrap command is intended to supersede the
  admin_token middleware. However, one of the common use cases for the
  admin_token middleware was to provide a recovery mechanism for cloud
  operators that had accidentally disabled themselves or lost their
  password.

  However, even after attempting to "re-bootstrap" an existing admin
  with a known password (effectively performing a password reset), the
  admin is still not able to authenticate. The same is true if the admin
  was disabled.

  This was originally reported in #openstack-ansible by odyssey4me:

  [Fri 09:29] <odyssey4me> dolphm lbragstad is keystone-manage bootstrap meant to skip the bootstrap if there are already settings in place? what is the right way to fix up creds that are lost somehow for the keystone admin?
  [Fri 09:30] <dolphm> odyssey4me: bootstrap should be idempotent, but i don't think it'll change an admin's password if you specify something different
  [Fri 09:31] <odyssey4me> dolphm so the options are, I guess, to delete the admin account in the db or to use the auth_token middleware?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1588860/+subscriptions

References

[Bug 1588860] [NEW] keystone-manage bootstrap cannot recover admin account
From: Dolph Mathews, 2016-06-03