Remove password_expires_ignore_user_ids
The above was deprecated in Ocata in favor of the user option ignore password expiry. Implements: bp removed-as-of-pike Change-Id: Ib69418c797595ec62ee3f2162fbf141c8bd47813
This commit is contained in:
parent
900349583c
commit
88cc5cff87
|
@ -11,7 +11,6 @@
|
|||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone.conf import utils
|
||||
|
||||
|
@ -65,25 +64,6 @@ passwords would not be impacted. This feature depends on the `sql` backend for
|
|||
the `[identity] driver`.
|
||||
"""))
|
||||
|
||||
password_expires_ignore_user_ids = cfg.ListOpt(
|
||||
'password_expires_ignore_user_ids',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_reason=utils.fmt("""
|
||||
Functionality added as a per-user option "ignore_password_expiry" in Ocata.
|
||||
Each user that should ignore password expiry should have the value set to
|
||||
"true" in the user's `options` attribute (e.g.
|
||||
`user['options']['ignore_password_expiry'] = True`) with an "update_user" call.
|
||||
This avoids the need to restart keystone to adjust the users that ignore
|
||||
password expiry. This option will be removed in the Pike release.
|
||||
"""),
|
||||
deprecated_since=versionutils.deprecated.OCATA,
|
||||
default=[],
|
||||
help=utils.fmt("""
|
||||
Comma separated list of user IDs to be ignored when checking if a password
|
||||
is expired. Passwords for users in this list will not expire. This feature
|
||||
will only be enabled if `[security_compliance] password_expires_days` is set.
|
||||
"""))
|
||||
|
||||
unique_last_password_count = cfg.IntOpt(
|
||||
'unique_last_password_count',
|
||||
default=1,
|
||||
|
@ -150,7 +130,6 @@ ALL_OPTS = [
|
|||
lockout_failure_attempts,
|
||||
lockout_duration,
|
||||
password_expires_days,
|
||||
password_expires_ignore_user_ids,
|
||||
unique_last_password_count,
|
||||
minimum_password_age,
|
||||
password_regex,
|
||||
|
|
|
@ -14,7 +14,6 @@
|
|||
|
||||
import datetime
|
||||
|
||||
from oslo_log import versionutils
|
||||
import sqlalchemy
|
||||
from sqlalchemy.ext.hybrid import hybrid_property
|
||||
from sqlalchemy import orm
|
||||
|
@ -150,29 +149,16 @@ class User(sql.ModelBase, sql.DictBase):
|
|||
|
||||
def _get_password_expires_at(self, created_at):
|
||||
expires_days = CONF.security_compliance.password_expires_days
|
||||
# NOTE(notmorgan): This option is deprecated and subject to removal
|
||||
# in a future release.
|
||||
ignore_list = CONF.security_compliance.password_expires_ignore_user_ids
|
||||
if ignore_list:
|
||||
versionutils.deprecated(
|
||||
what='[security_compliance]\password_expires_ignore_user_ids',
|
||||
as_of=versionutils.deprecated.OCATA,
|
||||
remove_in=+1,
|
||||
in_favor_of=('Using the `ignore_password_expiry` value set to '
|
||||
'`True` in the `user["options"]` dictionary on '
|
||||
'User creation or update (via API call).'))
|
||||
# Get the IGNORE_PASSWORD_EXPIRY_OPT value from the user's
|
||||
# option_mapper.
|
||||
|
||||
ignore_pw_expiry = getattr(
|
||||
self.get_resource_option(iro.IGNORE_PASSWORD_EXPIRY_OPT.option_id),
|
||||
'option_value',
|
||||
False)
|
||||
if (self.id not in ignore_list) and not ignore_pw_expiry:
|
||||
if expires_days:
|
||||
expired_date = (created_at +
|
||||
datetime.timedelta(days=expires_days))
|
||||
return expired_date.replace(microsecond=0)
|
||||
if not ignore_pw_expiry and expires_days:
|
||||
expired_date = (created_at +
|
||||
datetime.timedelta(days=expires_days))
|
||||
return expired_date.replace(microsecond=0)
|
||||
return None
|
||||
|
||||
@password.expression
|
||||
|
|
|
@ -679,23 +679,6 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
|
|||
user_id=user['id'],
|
||||
password=self.password)
|
||||
|
||||
def test_authenticate_with_expired_password_for_ignore_user(self):
|
||||
# add the user id to the ignore list
|
||||
self.config_fixture.config(
|
||||
group='security_compliance',
|
||||
password_expires_ignore_user_ids=[self.user_dict['id']])
|
||||
# set password created_at so that the password will expire
|
||||
password_created_at = (
|
||||
datetime.datetime.utcnow() -
|
||||
datetime.timedelta(
|
||||
days=CONF.security_compliance.password_expires_days + 1)
|
||||
)
|
||||
user = self._create_user(self.user_dict, password_created_at)
|
||||
# test password is not expired due to ignore list
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
|
||||
def test_authenticate_with_expired_password_for_ignore_user_option(self):
|
||||
# set user to have the 'ignore_password_expiry' option set to False
|
||||
self.user_dict.setdefault('options', {})[
|
||||
|
|
|
@ -20,3 +20,9 @@ other:
|
|||
The catalog backend ``endpoint_filter.sql`` has been removed. It has been
|
||||
consolidated with the ``sql`` backend, therefore replace the
|
||||
``endpoint_filter.sql`` catalog backend with the ``sql`` backend.
|
||||
- >
|
||||
The ``[security_compliance] password_expires_ignore_user_ids`` option has
|
||||
been removed. Each user that should ignore password expiry should have the
|
||||
value set to "true" in the user's ``options`` attribute (e.g.
|
||||
``user['options']['ignore_password_expiry'] = True``) with a user update
|
||||
call.
|
||||
|
|
Loading…
Reference in New Issue