keystone/releasenotes/notes/bug-2074018-28f7bbe8f28f5efe.yaml
Douglas Mendizábal e9513f8e4f Add keystone-manage reset_last_active command
This patch adds the `reset_last_active` subcommand to the
`keystone-manage` command line tool.

This subcommand will update every user in the database that has a null
value in the `last_active_at` property to the current server time. This
is necessary to prevent user lockout in deployments that have been
running for a long time without `disable_user_account_days_inactive` and
later decide to turn it on.

This patch also includes a change to the logic that sets
`last_active_at` to fix the root issue of the lockout.

Closes-Bug: 2074018
Change-Id: I1b71fb3881dc041db01083fbb4f2592400096a31
2024-08-06 22:45:30 -04:00

30 lines
1.4 KiB
YAML

---
features:
- |
Added a new command to the admin cli tool:
`keystone-manage reset_last_active`. This new command updates the database
to overwritet any NULL values in `last_active_at` in the user table to the
current time. This is a necessary step to fix Bug #2074018. See launchpad
for details.
fixes:
- |
Fixed Bug #2074018: Changed the user model to always save the date of the
last user activity in `last_active_at`. Previous to this change, the
`last_active_at` field was only updated when the option for
`[security_compliance] disable_user_account_days_inactive` was set.
If your deployment is affected by this bug, you must run
`keystone-manage reset_last_active` before setting the
`disable_user_account_days_inactive` option.
security:
- |
The new `keystone-manage rest_last_active` command resets all NULL values
in `last_active_at` in the user table to help fix Bug #2074018. Running
this command may be necessary in environments that have been deployed for
a long time and later decide to adopt the
`[security_compliance disable_user_account_days_inactive = X` option.
See Bug #2074018 for details.
A side-effect of this command is that it resets the amount of time that an
unused account is active for. Unused accounts will remain active until the
configured days have elapsed since the day the command is run.