yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #87209
[Bug 1943952] Re: Keystone should add password_status attribute to user
This seems like a request for enhancement instead of a bug. Please
submit this as a spec to the keystone-spec repo:
https://opendev.org/openstack/keystone-specs
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1943952
Title:
Keystone should add password_status attribute to user
Status in OpenStack Identity (keystone):
Invalid
Bug description:
Keystone should add password_status attribute to user. Status may
include: expired, expire_soon, locked.
expired/expire_soon:
Keystone should warn about user's password being expired or will be expire soon(7 days later or configurable). An administrator can list all the users to see if their password are expired or going to expire soon, then show it on some management UI or send email to them.
locked:
When a user's password is locked, keystone should show it via the user information. Since keystone has fixed an user guessing security vulnerability(CVE-2021-38155), it's impossible for the outside to know if an authentication error is due to invalid password or password lock. This greatly harms user friendliness and does not comply to common practice.
By adding a "locked" password status to user info, a login UI can decide if the authentication failure is caused by invalid password or password lock.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1943952/+subscriptions
References