yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96185
[Bug 2117217] [NEW] disable_user_account_days_inactive option locks out all active users with active application credentials
Public bug reported:
Enabling the option `[security_compliance]
disable_user_account_days_inactive = X` disables all user accounts those
are inactive more than X days.
But in our deployment many users use application credentials instead of
keystone user itself.
The root cause we identified was, even though app credentials was
actively used, user table `last_active_at` table was not updated at all.
Keystone still thinks the user was never active and disables the account
after X days
For now we have reverted the settings of `[security_compliance]
disable_user_account_days_inactive = X`
Deployment details
Keystone Version: 23.0.2 (Antelope)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2117217
Title:
disable_user_account_days_inactive option locks out all active users
with active application credentials
Status in OpenStack Identity (keystone):
New
Bug description:
Enabling the option `[security_compliance]
disable_user_account_days_inactive = X` disables all user accounts
those are inactive more than X days.
But in our deployment many users use application credentials instead
of keystone user itself.
The root cause we identified was, even though app credentials was
actively used, user table `last_active_at` table was not updated at
all.
Keystone still thinks the user was never active and disables the
account after X days
For now we have reverted the settings of `[security_compliance]
disable_user_account_days_inactive = X`
Deployment details
Keystone Version: 23.0.2 (Antelope)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2117217/+subscriptions