Bootstrap: enable and reset password for existing users
One of the common use cases for the admin_token middleware was to provide a recovery mechanism for cloud operators that had accidentally disabled themselves or lost their password. Instead of using bootstrap to create a second admin just to recover the first, this change allows bootstrap to reset the user's credentials and ensure that the account is enabled. Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df Closes-Bug: 1588860
This commit is contained in:
parent
6e4fae9ed6
commit
d6b016dd91
|
@ -215,6 +215,24 @@ class BootStrap(BaseApp):
|
|||
default_domain['id'])
|
||||
LOG.info(_LI('User %s already exists, skipping creation.'),
|
||||
self.username)
|
||||
|
||||
# Remember whether the user was enabled or not, so that we can
|
||||
# provide useful logging output later.
|
||||
was_enabled = user['enabled']
|
||||
|
||||
# To keep bootstrap idempotent, try to reset the user's password
|
||||
# and ensure that they are enabled. This allows bootstrap to act as
|
||||
# a recovery tool, without having to create a new user.
|
||||
user = self.identity_manager.update_user(
|
||||
user['id'],
|
||||
{'enabled': True,
|
||||
'password': self.password})
|
||||
LOG.info(_LI('Reset password for user %s.'), self.username)
|
||||
if not was_enabled and user['enabled']:
|
||||
# Although we always try to enable the user, this log message
|
||||
# only makes sense if we know that the user was previously
|
||||
# disabled.
|
||||
LOG.info(_LI('Enabled user %s.'), self.username)
|
||||
except exception.UserNotFound:
|
||||
user = self.identity_manager.create_user(
|
||||
user_ref={'name': self.username,
|
||||
|
|
|
@ -145,6 +145,28 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||
self._do_test_bootstrap(bootstrap)
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
|
||||
def test_bootstrap_recovers_user(self):
|
||||
bootstrap = cli.BootStrap()
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
|
||||
# Completely lock the user out.
|
||||
user_id = bootstrap.identity_manager.get_user_by_name(
|
||||
bootstrap.username,
|
||||
'default')['id']
|
||||
bootstrap.identity_manager.update_user(
|
||||
user_id,
|
||||
{'enabled': False,
|
||||
'password': uuid.uuid4().hex})
|
||||
|
||||
# The second bootstrap run will recover the account.
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
|
||||
# Sanity check that the original password works again.
|
||||
bootstrap.identity_manager.authenticate(
|
||||
{},
|
||||
user_id,
|
||||
bootstrap.password)
|
||||
|
||||
|
||||
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
||||
|
||||
|
|
Loading…
Reference in New Issue