Browse Source

Merge "Add special user options for domain user"

tags/13.0.0.0rc1
Zuul Gerrit Code Review 11 months ago
parent
commit
563616967d
2 changed files with 18 additions and 2 deletions
  1. +13
    -1
      heat/engine/clients/os/keystone/heat_keystoneclient.py
  2. +5
    -1
      heat/tests/clients/test_heat_client.py

+ 13
- 1
heat/engine/clients/os/keystone/heat_keystoneclient.py View File

@@ -328,6 +328,17 @@ class KsClientWrapper(object):
# FIXME(shardy): Legacy fallback for folks using old heat.conf
# files which lack domain configuration
return self.create_stack_user(username=username, password=password)
# We are creating automated user, for which most of security
# compliance restrictions possibly set in Keystone should not apply,
# https://docs.openstack.org/keystone/latest/admin/security-compliance.html
# TODO(pas-ha) find a way to deal with password_regex and
# disable_user_account_days_inactive
# TODO(pas-ha) think if we also need to add lock_password too
user_options = {
"ignore_change_password_upon_first_use": True,
"ignore_password_expiry": True,
"ignore_lockout_failure_attempts": True
}
# We add the new user to a special keystone role
# This role is designed to allow easier differentiation of the
# heat-generated "stack users" which will generally have credentials
@@ -339,7 +350,8 @@ class KsClientWrapper(object):
# Create user
user = self.domain_admin_client.users.create(
name=self._get_username(username), password=password,
default_project=project_id, domain=self.stack_domain_id)
default_project=project_id, domain=self.stack_domain_id,
options=user_options)
# Add to stack user role
LOG.debug("Adding user %(user)s to role %(role)s",
{'user': user.id, 'role': role_id})


+ 5
- 1
heat/tests/clients/test_heat_client.py View File

@@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
ctx = utils.dummy_context()
self.patchobject(ctx, '_create_auth_plugin')
ctx.trust_id = None
user_options = dict(ignore_password_expiry=True,
ignore_change_password_upon_first_use=True,
ignore_lockout_failure_attempts=True)

# mock keystone client functions
self._stub_domain_admin_client()
@@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
name='duser',
password=None,
default_project='aproject',
domain='adomain123')
domain='adomain123',
options=user_options)
self.mock_ks_v3_client.roles.grant.assert_called_once_with(
project='aproject',
role='4546',


Loading…
Cancel
Save