Bootstrap: enable and reset password for existing users
One of the common use cases for the admin_token middleware was to provide a recovery mechanism for cloud operators that had accidentally disabled themselves or lost their password. Instead of using bootstrap to create a second admin just to recover the first, this change allows bootstrap to reset the user's credentials and ensure that the account is enabled. Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df Closes-Bug: 1588860
This commit is contained in:
parent
6e4fae9ed6
commit
d6b016dd91
|
@ -215,6 +215,24 @@ class BootStrap(BaseApp):
|
||||||
default_domain['id'])
|
default_domain['id'])
|
||||||
LOG.info(_LI('User %s already exists, skipping creation.'),
|
LOG.info(_LI('User %s already exists, skipping creation.'),
|
||||||
self.username)
|
self.username)
|
||||||
|
|
||||||
|
# Remember whether the user was enabled or not, so that we can
|
||||||
|
# provide useful logging output later.
|
||||||
|
was_enabled = user['enabled']
|
||||||
|
|
||||||
|
# To keep bootstrap idempotent, try to reset the user's password
|
||||||
|
# and ensure that they are enabled. This allows bootstrap to act as
|
||||||
|
# a recovery tool, without having to create a new user.
|
||||||
|
user = self.identity_manager.update_user(
|
||||||
|
user['id'],
|
||||||
|
{'enabled': True,
|
||||||
|
'password': self.password})
|
||||||
|
LOG.info(_LI('Reset password for user %s.'), self.username)
|
||||||
|
if not was_enabled and user['enabled']:
|
||||||
|
# Although we always try to enable the user, this log message
|
||||||
|
# only makes sense if we know that the user was previously
|
||||||
|
# disabled.
|
||||||
|
LOG.info(_LI('Enabled user %s.'), self.username)
|
||||||
except exception.UserNotFound:
|
except exception.UserNotFound:
|
||||||
user = self.identity_manager.create_user(
|
user = self.identity_manager.create_user(
|
||||||
user_ref={'name': self.username,
|
user_ref={'name': self.username,
|
||||||
|
|
|
@ -145,6 +145,28 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
||||||
self._do_test_bootstrap(bootstrap)
|
self._do_test_bootstrap(bootstrap)
|
||||||
self._do_test_bootstrap(bootstrap)
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
def test_bootstrap_recovers_user(self):
|
||||||
|
bootstrap = cli.BootStrap()
|
||||||
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
# Completely lock the user out.
|
||||||
|
user_id = bootstrap.identity_manager.get_user_by_name(
|
||||||
|
bootstrap.username,
|
||||||
|
'default')['id']
|
||||||
|
bootstrap.identity_manager.update_user(
|
||||||
|
user_id,
|
||||||
|
{'enabled': False,
|
||||||
|
'password': uuid.uuid4().hex})
|
||||||
|
|
||||||
|
# The second bootstrap run will recover the account.
|
||||||
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
# Sanity check that the original password works again.
|
||||||
|
bootstrap.identity_manager.authenticate(
|
||||||
|
{},
|
||||||
|
user_id,
|
||||||
|
bootstrap.password)
|
||||||
|
|
||||||
|
|
||||||
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue