yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2060441] Re: Warning log messages about password being truncated upon user update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2060441@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Jul 2025 16:58:00 -0000
Reply-to: Bug 2060441 <2060441@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/915256
Committed: https://opendev.org/openstack/keystone/commit/6d97d94be8664f95db8834ad8a821c0122b47e73
Submitter: "Zuul (22348)"
Branch:    master

commit 6d97d94be8664f95db8834ad8a821c0122b47e73
Author: Michel Nederlof <mnederlof@xxxxxxxxxxxx>
Date:   Mon Apr 8 11:13:45 2024 +0200

    Remove the password element from the generated dict in update_user
    
    This prevents a log warning when a hashed password is too long for the
    configured password_hashing_algorithm, as the currently hashed password
    is passed into the from_dict method, which will try to 'set' the password
    using the hashed value.
    
    Also, handling of a password update is done later in this method, so the
    warning message would also be misleading anyone interpreting the log lines,
    as the password is not updated using this logic.
    
    Closes-Bug: #2060441
    Change-Id: I53d66fe87179aac7b3e211c84fd9858b1157b352


** Changed in: keystone
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2060441

Title:
  Warning log messages about password being truncated upon user update

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When a user is updated [1] the user object is re-instantiated from the
  current user object.

  In this user dictionary, the password attribute is the hashed
  password, which can easily be more than the preconfigured 72 chars
  (when using `bcrypt` method). We have been running keystone since
  icehouse version, so we still have a lot of passwords that use the
  `sha512crypt` method (which was the default back then [2]), which are
  more than 72 chars, easy.

  For example:
  ```
  $6$rounds=40000$tgLsnccAfTiJSrKH$/k2pMchhql2t9GbFnHHGdr34v0nTKCgjj3yKct/gv5sSaMeXkUwH641ZVdGV3plOt5JWMgpem6GAtOTlGC.iO1
  ```

  Please note, nothing wrong happens; the password is not actually
  truncated when saved or updated, as this is handled separately [3].

  One way to go about it, is to pop the `password` field from the
  `old_user_dict`, so the warning only pops up whenever a user really
  updates it's password.


  [1] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L225
  [2] https://github.com/openstack/keystone/blob/kilo-eol/keystone/common/utils.py#L127
  [3] https://github.com/openstack/keystone/blob/8ca73f758bb613a57815fbe4ae78e3d2afa4af49/keystone/identity/backends/sql.py#L239

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2060441/+subscriptions

References

[Bug 2060441] [NEW] Warning log messages about password being truncated upon user update
From: Michel Nederlof, 2024-04-08