← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2117217] [NEW] disable_user_account_days_inactive option locks out all active users with active application credentials

 

Public bug reported:

Enabling the option `[security_compliance]
disable_user_account_days_inactive = X` disables all user accounts those
are inactive more than X days.

But in our deployment many users use application credentials instead of
keystone user itself.

The root cause we identified was, even though app credentials was
actively used, user table `last_active_at` table was not updated at all.

Keystone still thinks the user was never active and disables the account
after X days

For now we have reverted the settings of `[security_compliance]
disable_user_account_days_inactive = X`

Deployment details

Keystone Version: 23.0.2 (Antelope)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2117217

Title:
  disable_user_account_days_inactive option locks out all active users
  with active application credentials

Status in OpenStack Identity (keystone):
  New

Bug description:
  Enabling the option `[security_compliance]
  disable_user_account_days_inactive = X` disables all user accounts
  those are inactive more than X days.

  But in our deployment many users use application credentials instead
  of keystone user itself.

  The root cause we identified was, even though app credentials was
  actively used, user table `last_active_at` table was not updated at
  all.

  Keystone still thinks the user was never active and disables the
  account after X days

  For now we have reverted the settings of `[security_compliance]
  disable_user_account_days_inactive = X`

  Deployment details

  Keystone Version: 23.0.2 (Antelope)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2117217/+subscriptions