Browse Source

Add special user options for domain user

those are automated users that are created by Heat and the should
not be subject to restrictions possibly configured in Keystone
for security compliance, as those may break automated nature of things.

Create domain users with several available user options that will
make Keystone ignore:
- password expiry
- requirement to change the password on first use
- lockout after failed auth attempts

There are more things that must be done to properly secure those users
from becoming non-working, but this will be proposed in the followup
patches.

Story: 2005210
Task: 29988

Change-Id: I3152ddb82426cf66f2bd8ed69f53c77c653142bf
changes/84/656884/1
Pavlo Shchelokovskyy 3 years ago
parent
commit
d695602397
  1. 14
      heat/engine/clients/os/keystone/heat_keystoneclient.py
  2. 6
      heat/tests/clients/test_heat_client.py

14
heat/engine/clients/os/keystone/heat_keystoneclient.py

@ -328,6 +328,17 @@ class KsClientWrapper(object):
# FIXME(shardy): Legacy fallback for folks using old heat.conf
# files which lack domain configuration
return self.create_stack_user(username=username, password=password)
# We are creating automated user, for which most of security
# compliance restrictions possibly set in Keystone should not apply,
# https://docs.openstack.org/keystone/latest/admin/security-compliance.html
# TODO(pas-ha) find a way to deal with password_regex and
# disable_user_account_days_inactive
# TODO(pas-ha) think if we also need to add lock_password too
user_options = {
"ignore_change_password_upon_first_use": True,
"ignore_password_expiry": True,
"ignore_lockout_failure_attempts": True
}
# We add the new user to a special keystone role
# This role is designed to allow easier differentiation of the
# heat-generated "stack users" which will generally have credentials
@ -339,7 +350,8 @@ class KsClientWrapper(object):
# Create user
user = self.domain_admin_client.users.create(
name=self._get_username(username), password=password,
default_project=project_id, domain=self.stack_domain_id)
default_project=project_id, domain=self.stack_domain_id,
options=user_options)
# Add to stack user role
LOG.debug("Adding user %(user)s to role %(role)s",
{'user': user.id, 'role': role_id})

6
heat/tests/clients/test_heat_client.py

@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
ctx = utils.dummy_context()
self.patchobject(ctx, '_create_auth_plugin')
ctx.trust_id = None
user_options = dict(ignore_password_expiry=True,
ignore_change_password_upon_first_use=True,
ignore_lockout_failure_attempts=True)
# mock keystone client functions
self._stub_domain_admin_client()
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
name='duser',
password=None,
default_project='aproject',
domain='adomain123')
domain='adomain123',
options=user_options)
self.mock_ks_v3_client.roles.grant.assert_called_once_with(
project='aproject',
role='4546',

Loading…
Cancel
Save