yahoo-eng-team team mailing list archive

[Douglas Mendizábal <1943952@xxxxxxxxxxxxxxxxxx>]

This seems like a request for enhancement instead of a bug.  Please
submit this as a spec to the keystone-spec repo:

https://opendev.org/openstack/keystone-specs

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1943952

Title:
  Keystone should add password_status attribute to user

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Keystone should add password_status attribute to user. Status may
  include: expired, expire_soon, locked.

  expired/expire_soon:
  Keystone should warn about user's password being expired or will be expire soon(7 days later or configurable). An administrator can list all the users to see if their password are expired or going to expire soon, then show it on some management UI or send email to them.

  locked:
  When a user's password is locked, keystone should show it via the user information. Since keystone has fixed an user guessing security vulnerability(CVE-2021-38155), it's impossible for the outside to know if an authentication error is due to invalid password or password lock. This greatly harms user friendliness and does not comply to common practice.
  By adding a "locked" password status to user info, a login UI can decide if the authentication failure is caused by invalid password or password lock.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1943952/+subscriptions