yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1728031] Re: Unable to change user password when ENFORCE_PASSWORD_CHECK is True

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1728031@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Mar 2024 15:22:27 -0000
Reply-to: Bug 1728031 <1728031@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/horizon/+/913250
Committed: https://opendev.org/openstack/horizon/commit/da8e959298575127434e6e15aae5d1f0638a6e22
Submitter: "Zuul (22348)"
Branch:    master

commit da8e959298575127434e6e15aae5d1f0638a6e22
Author: Rodrigo Barbieri <rodrigo.barbieri2010@xxxxxxxxx>
Date:   Thu Mar 14 15:22:14 2024 -0300

    Fix error on changing user password by admin
    
    Previous change I8438bedaf7cead452fc499e484d23690b48894d9
    attempted to address bug LP#1728031 by improving upon
    patch https://review.opendev.org/854005 but missed the
    line that allows the keystone client to properly
    authenticate a cloud admin user that IS NOT in the
    default domain.
    
    Without this 1-line fix, a cloud admin that is not
    in the default domain will face an "incorrect admin
    password" error in the UI (despite the admin password
    being correct) and an authentication error in the logs,
    regardless of the endpoint type used (adminURL,
    internalURL or publicURL).
    
    Closes-bug: #1728031
    Change-Id: I018e7d9cb84fd6ce8635c9054e15052ded7e9368


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1728031

Title:
  Unable to change user password when ENFORCE_PASSWORD_CHECK is True

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  After following the security hardening guidelines:
  https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
  After this check is enabled
  Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
  The user password cannot be changed. 
  The form submission fails by displaying that admin password is incorrect.

  The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
  user_verify_admin_password method uses internal url to communicate with the keystone.
  line 500:
  endpoint = _get_endpoint_url(request, 'internalURL')
  This should be changed to adminURL

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1728031/+subscriptions

References

[Bug 1728031] [NEW] unable to change user password
From: lahari, 2017-10-27