yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94058
[Bug 1728031] Re: [SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is True
This bug was fixed in the package horizon - 4:24.0.0-0ubuntu2
---------------
horizon (4:24.0.0-0ubuntu2) oracular; urgency=medium
[ Rodrigo Barbieri ]
* d/p/lp1728031.patch: Fix admin unable to reset user's password.
(LP: #1728031)
[ Zhang Hua ]
* d/p/lp2054799.patch: Fix Users/Groups tab list when a domain
context is set. (LP: #2054799)
-- Mauricio Faria de Oliveira <mfo@xxxxxxxxxxxxx> Tue, 04 Jun 2024
16:52:08 -0300
** Changed in: horizon (Ubuntu Oracular)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1728031
Title:
[SRU] Unable to change user password when ENFORCE_PASSWORD_CHECK is
True
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive antelope series:
New
Status in Ubuntu Cloud Archive bobcat series:
New
Status in Ubuntu Cloud Archive yoga series:
New
Status in Ubuntu Cloud Archive zed series:
Fix Released
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in horizon package in Ubuntu:
Fix Released
Status in horizon source package in Focal:
New
Status in horizon source package in Jammy:
New
Status in horizon source package in Mantic:
New
Status in horizon source package in Noble:
New
Status in horizon source package in Oracular:
Fix Released
Bug description:
After following the security hardening guidelines:
https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-09-is-enforce-password-check-set-to-true
After this check is enabled
Check-Dashboard-09: Is ENFORCE_PASSWORD_CHECK set to True
The user password cannot be changed.
The form submission fails by displaying that admin password is incorrect.
The reason for this is in keystone.py in openstack_dashboard/api/keystone.py
user_verify_admin_password method uses internal url to communicate with the keystone.
line 500:
endpoint = _get_endpoint_url(request, 'internalURL')
This should be changed to adminURL
===============
SRU Description
===============
[Impact]
Admins cannot change user's password as it gives an error saying that the admin's password is incorrect, despite being correct. There are 2 causes:
1) due to the lack of user_domain being specified when validating the admin's password, it will always fail if the admin is not registered in the "default" domain, because the user_domain defaults to "default" when not specified.
2) even if the admin user is registered in the "default" domain, it may fail due to the wrong endpoint being used in the request to validate the admin's password.
The issues are fixed in 2 separate patches [1] and [2]. However, [2] is introducing a new config option, while [1] alone is also enough to fix the occurrence on some deployments. We are including only [1] in the SRU.
[Test case]
1. Setting up the env, ensure ENFORCE_PASSWORD_CHECK is set to True
1a. Deploy openstack env with horizon/openstack-dashboard
1b. Set up admin user in a domain not named "default", such as
"admin_domain".
1c. Set up any other user, such as demo. Preferably in the
admin_domain as well for convenience.
2. Reproduce the bug
2a. Login as admin and navigate to Identity > Users
2b. On the far right-hand side of the demo user row, click the options
button and select Change Password
2c. Type in any new password, repeat it below, and type in the admin
password. Click Save and you should see a message "The admin password
is incorrect"
3. Install package that contains the fixed code
4. Confirm fix
5a. Repeat steps 2a-2c
5b. The password should now be saved successfully
[Where problems could occur]
The code is a 1-line change that was tested in upstream CI (without
the addition of bug-specific functional tests) from master(Caracal) to
stable/zed without any issue captured. No side effects or risks are
foreseen. Usage of fix [1] has also been tested manually without fix
[2] and still worked. Worst case scenario, the ability to change
password that currently does not work will still not work, because the
code change is isolated to the specific function that validates the
authenticity of the password used.
[Other Info]
None.
[1] https://review.opendev.org/c/openstack/horizon/+/913250
[2] https://review.opendev.org/c/openstack/horizon/+/844574
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1728031/+subscriptions
References