← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94395

[Bug 2074018] Re: disable_user_account_days_inactive option locks out all users

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/keystone/+/924892
Committed: https://opendev.org/openstack/keystone/commit/e9513f8e4f25e1f20bc6fcab71d9177120000abf
Submitter: "Zuul (22348)"
Branch:    master

commit e9513f8e4f25e1f20bc6fcab71d9177120000abf
Author: Douglas Mendizábal <dmendiza@xxxxxxxxxx>
Date:   Fri Jul 19 17:10:11 2024 -0400

    Add keystone-manage reset_last_active command
    
    This patch adds the `reset_last_active` subcommand to the
    `keystone-manage` command line tool.
    
    This subcommand will update every user in the database that has a null
    value in the `last_active_at` property to the current server time. This
    is necessary to prevent user lockout in deployments that have been
    running for a long time without `disable_user_account_days_inactive` and
    later decide to turn it on.
    
    This patch also includes a change to the logic that sets
    `last_active_at` to fix the root issue of the lockout.
    
    Closes-Bug: 2074018
    Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2074018

Title:
  disable_user_account_days_inactive option locks out all users

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Enabling the option `[security_compliance]
  disable_user_account_days_inactive = X` disables all user accounts in
  deployments that have been running for longer than X.

  The root cause seems to be the way that the values of the
  `last_active_at` column in the `user` table are set.  When the option
  is disabled, the `last_active_at` column is never updated, so it is
  null for all users.

  If you later decide to turn on this option for compliance reasons, the
  current logic in Keystone will use the value of `created_at` as the
  last time the user was active.  For any deployment where the users
  were created more than the value of
  `disable_user_account_days_inactive` will result in all users being
  disabled including the admin user regardless of when the user last
  logged in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2074018/+subscriptions

References

  Thread PreviousDate PreviousThread Next