yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2074018] Re: disable_user_account_days_inactive option locks out all users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Douglas Mendizábal <2074018@xxxxxxxxxxxxxxxxxx>
Date: Wed, 07 Aug 2024 20:12:47 -0000
Reply-to: Bug 2074018 <2074018@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Also affects: keystone/2023.2
   Importance: Undecided
       Status: New

** Also affects: keystone/wallaby
   Importance: Undecided
       Status: New

** Also affects: keystone/2024.1
   Importance: Undecided
       Status: New

** Also affects: keystone/2024.2
   Importance: Medium
     Assignee: Douglas Mendizábal (dougmendizabal)
       Status: Fix Released

** Also affects: keystone/2023.1
   Importance: Undecided
       Status: New

** Changed in: keystone/wallaby
     Assignee: (unassigned) => Douglas Mendizábal (dougmendizabal)

** Changed in: keystone/2024.1
     Assignee: (unassigned) => Douglas Mendizábal (dougmendizabal)

** Changed in: keystone/2023.2
     Assignee: (unassigned) => Douglas Mendizábal (dougmendizabal)

** Changed in: keystone/2023.1
     Assignee: (unassigned) => Douglas Mendizábal (dougmendizabal)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2074018

Title:
  disable_user_account_days_inactive option locks out all users

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) 2023.1 series:
  New
Status in OpenStack Identity (keystone) 2023.2 series:
  New
Status in OpenStack Identity (keystone) 2024.1 series:
  New
Status in OpenStack Identity (keystone) 2024.2 series:
  Fix Released
Status in OpenStack Identity (keystone) wallaby series:
  New

Bug description:
  Enabling the option `[security_compliance]
  disable_user_account_days_inactive = X` disables all user accounts in
  deployments that have been running for longer than X.

  The root cause seems to be the way that the values of the
  `last_active_at` column in the `user` table are set.  When the option
  is disabled, the `last_active_at` column is never updated, so it is
  null for all users.

  If you later decide to turn on this option for compliance reasons, the
  current logic in Keystone will use the value of `created_at` as the
  last time the user was active.  For any deployment where the users
  were created more than the value of
  `disable_user_account_days_inactive` will result in all users being
  disabled including the admin user regardless of when the user last
  logged in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2074018/+subscriptions

References

[Bug 2074018] [NEW] disable_user_account_days_inactive option locks out all users
From: Douglas Mendizábal, 2024-07-24