yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2060441] [NEW] Warning log messages about password being truncated upon user update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Michel Nederlof <2060441@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Apr 2024 08:01:35 -0000
Reply-to: Bug 2060441 <2060441@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

When a user is updated [1] the user object is re-instantiated from the
current user object.

In this user dictionary, the password attribute is the hashed password,
which can easily be more than the preconfigured 72 chars (when using
`bcrypt` method). We have been running keystone since icehouse version,
so we still have a lot of passwords that use the `sha512crypt` method
(which was the default back then [2]), which are more than 72 chars,
easy.

For example:
```
$6$rounds=40000$tgLsnccAfTiJSrKH$/k2pMchhql2t9GbFnHHGdr34v0nTKCgjj3yKct/gv5sSaMeXkUwH641ZVdGV3plOt5JWMgpem6GAtOTlGC.iO1
```

Please note, nothing wrong happens; the password is not actually
truncated when saved or updated, as this is handled separately [3].

One way to go about it, is to pop the `password` field from the
`old_user_dict`, so the warning only pops up whenever a user really
updates it's password.


[1] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L225
[2] https://github.com/openstack/keystone/blob/kilo-eol/keystone/common/utils.py#L127
[3] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L239

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2060441

Title:
  Warning log messages about password being truncated upon user update

Status in OpenStack Identity (keystone):
  New

Bug description:
  When a user is updated [1] the user object is re-instantiated from the
  current user object.

  In this user dictionary, the password attribute is the hashed
  password, which can easily be more than the preconfigured 72 chars
  (when using `bcrypt` method). We have been running keystone since
  icehouse version, so we still have a lot of passwords that use the
  `sha512crypt` method (which was the default back then [2]), which are
  more than 72 chars, easy.

  For example:
  ```
  $6$rounds=40000$tgLsnccAfTiJSrKH$/k2pMchhql2t9GbFnHHGdr34v0nTKCgjj3yKct/gv5sSaMeXkUwH641ZVdGV3plOt5JWMgpem6GAtOTlGC.iO1
  ```

  Please note, nothing wrong happens; the password is not actually
  truncated when saved or updated, as this is handled separately [3].

  One way to go about it, is to pop the `password` field from the
  `old_user_dict`, so the warning only pops up whenever a user really
  updates it's password.


  [1] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L225
  [2] https://github.com/openstack/keystone/blob/kilo-eol/keystone/common/utils.py#L127
  [3] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L239

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2060441/+subscriptions