From d69560239738e1e6fc5dd3169fe112ee5657005c Mon Sep 17 00:00:00 2001 From: Pavlo Shchelokovskyy Date: Thu, 2 May 2019 15:22:55 -0600 Subject: [PATCH] Add special user options for domain user those are automated users that are created by Heat and the should not be subject to restrictions possibly configured in Keystone for security compliance, as those may break automated nature of things. Create domain users with several available user options that will make Keystone ignore: - password expiry - requirement to change the password on first use - lockout after failed auth attempts There are more things that must be done to properly secure those users from becoming non-working, but this will be proposed in the followup patches. Story: 2005210 Task: 29988 Change-Id: I3152ddb82426cf66f2bd8ed69f53c77c653142bf --- .../clients/os/keystone/heat_keystoneclient.py | 14 +++++++++++++- heat/tests/clients/test_heat_client.py | 6 +++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/heat/engine/clients/os/keystone/heat_keystoneclient.py b/heat/engine/clients/os/keystone/heat_keystoneclient.py index f91c2c134e..b738c2f089 100644 --- a/heat/engine/clients/os/keystone/heat_keystoneclient.py +++ b/heat/engine/clients/os/keystone/heat_keystoneclient.py @@ -328,6 +328,17 @@ class KsClientWrapper(object): # FIXME(shardy): Legacy fallback for folks using old heat.conf # files which lack domain configuration return self.create_stack_user(username=username, password=password) + # We are creating automated user, for which most of security + # compliance restrictions possibly set in Keystone should not apply, + # https://docs.openstack.org/keystone/latest/admin/security-compliance.html + # TODO(pas-ha) find a way to deal with password_regex and + # disable_user_account_days_inactive + # TODO(pas-ha) think if we also need to add lock_password too + user_options = { + "ignore_change_password_upon_first_use": True, + "ignore_password_expiry": True, + "ignore_lockout_failure_attempts": True + } # We add the new user to a special keystone role # This role is designed to allow easier differentiation of the # heat-generated "stack users" which will generally have credentials @@ -339,7 +350,8 @@ class KsClientWrapper(object): # Create user user = self.domain_admin_client.users.create( name=self._get_username(username), password=password, - default_project=project_id, domain=self.stack_domain_id) + default_project=project_id, domain=self.stack_domain_id, + options=user_options) # Add to stack user role LOG.debug("Adding user %(user)s to role %(role)s", {'user': user.id, 'role': role_id}) diff --git a/heat/tests/clients/test_heat_client.py b/heat/tests/clients/test_heat_client.py index 8397ca7408..0b36e8c269 100644 --- a/heat/tests/clients/test_heat_client.py +++ b/heat/tests/clients/test_heat_client.py @@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase): ctx = utils.dummy_context() self.patchobject(ctx, '_create_auth_plugin') ctx.trust_id = None + user_options = dict(ignore_password_expiry=True, + ignore_change_password_upon_first_use=True, + ignore_lockout_failure_attempts=True) # mock keystone client functions self._stub_domain_admin_client() @@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase): name='duser', password=None, default_project='aproject', - domain='adomain123') + domain='adomain123', + options=user_options) self.mock_ks_v3_client.roles.grant.assert_called_once_with( project='aproject', role='4546',