← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1827435] [NEW] add user option to ignore password_regex

 

Public bug reported:

Heat's bug: https://storyboard.openstack.org/#!/story/2005210

Heat creates service users in its dedicated domain on the fly. These are
crucial in situations that require deferred authentications, for example
autoscaling.

There's a password_regex option in [security_compliance] section in
Keystone that enforces passwords to pass a certain regex, thus enforcing
their strength.

However Heat has no way to generate random passwords for its users that
will certainly pass any such regex set. In fact the problem of
generating a random string from arbitrary regex is quite a non trivial
one and for now solutions/libraries exist only when regex uses only a
certain subset of a full regex spec.

When generating passwords for its domain users Heat creates quite a
strong password (32 alphanum+special symbols), but still it may fail a
custom regex set in Keystone.

It is proposed to add another user option (ignore_password_regex)
similar to those already existing in Keystone to override the regex
enforcement of the password for given user.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1827435

Title:
  add user option to ignore password_regex

Status in OpenStack Identity (keystone):
  New

Bug description:
  Heat's bug: https://storyboard.openstack.org/#!/story/2005210

  Heat creates service users in its dedicated domain on the fly. These
  are crucial in situations that require deferred authentications, for
  example autoscaling.

  There's a password_regex option in [security_compliance] section in
  Keystone that enforces passwords to pass a certain regex, thus
  enforcing their strength.

  However Heat has no way to generate random passwords for its users
  that will certainly pass any such regex set. In fact the problem of
  generating a random string from arbitrary regex is quite a non trivial
  one and for now solutions/libraries exist only when regex uses only a
  certain subset of a full regex spec.

  When generating passwords for its domain users Heat creates quite a
  strong password (32 alphanum+special symbols), but still it may fail a
  custom regex set in Keystone.

  It is proposed to add another user option (ignore_password_regex)
  similar to those already existing in Keystone to override the regex
  enforcement of the password for given user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1827435/+subscriptions