← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94313

[Bug 2074018] [NEW] disable_user_account_days_inactive option locks out all users

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Enabling the option `[security_compliance]
disable_user_account_days_inactive = X` disables all user accounts in
deployments that have been running for longer than X.

The root cause seems to be the way that the values of the
`last_active_at` column in the `user` table are set.  When the option is
disabled, the `last_active_at` column is never updated, so it is null
for all users.

If you later decide to turn on this option for compliance reasons, the
current logic in Keystone will use the value of `created_at` as the last
time the user was active.  For any deployment where the users were
created more than the value of `disable_user_account_days_inactive` will
result in all users being disabled including the admin user regardless
of when the user last logged in.

** Affects: keystone
     Importance: Medium
     Assignee: Douglas Mendizábal (dougmendizabal)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Douglas Mendizábal (dougmendizabal)

** Changed in: keystone
       Status: New => In Progress

** Changed in: keystone
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2074018

Title:
  disable_user_account_days_inactive option locks out all users

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Enabling the option `[security_compliance]
  disable_user_account_days_inactive = X` disables all user accounts in
  deployments that have been running for longer than X.

  The root cause seems to be the way that the values of the
  `last_active_at` column in the `user` table are set.  When the option
  is disabled, the `last_active_at` column is never updated, so it is
  null for all users.

  If you later decide to turn on this option for compliance reasons, the
  current logic in Keystone will use the value of `created_at` as the
  last time the user was active.  For any deployment where the users
  were created more than the value of
  `disable_user_account_days_inactive` will result in all users being
  disabled including the admin user regardless of when the user last
  logged in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2074018/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next