Exempt admin from lockout during system upgrade

The update added a script that will be invoked at the "activate" stage of system upgrade. The script makes a keystone user PATCH API call to set "ignore_lockout_failure_attempts" option for admin user so that it is exempted from failed auth lockout. Change-Id: I97138f78c760f8bebb137d68a473cc125f452f14 Closes-Bug: 1887470 Signed-off-by: Andy Ning <andy.ning@windriver.com>
2020-07-17 11:29:57 -04:00 · 2020-07-17 11:29:57 -04:00 · 686c6043e9
parent f5d8c40993
commit 686c6043e9
1 changed files with 62 additions and 0 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/20-exempt-admin-from-lockout.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/20-exempt-admin-from-lockout.sh
@ -0,0 +1,62 @@
+#!/bin/bash
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script will call keystone user PATCH API to set
+# "ignore_lockout_failure_attempts" option for admin user, so that admin user
+# is exempted from failed auth lockout.
+#
+# This script can be removed in the release that follows 20.06.
+#
+
+NAME=$(basename $0)
+
+# The migration scripts are passed these parameters:
+FROM_RELEASE=$1
+TO_RELEASE=$2
+ACTION=$3
+
+user_name="admin"
+option="ignore_lockout_failure_attempts"
+option_value="true"
+
+source /etc/platform/openrc
+
+# This will log to /var/log/platform.log
+function log {
+    logger -p local1.info $1
+}
+
+log "$NAME: Setting ${option} option for $user_name to exempt it from fail auth lockout."
+
+if [ "$TO_RELEASE" == "20.06" ] && [ "$ACTION" == "activate" ]; then
+    token=$(openstack token issue -c id -f value)
+    if [ $? -ne 0 ]; then
+        log "$NAME: Get admin token failed."
+        exit 1
+    fi
+
+    user_id=$(openstack user show ${user_name} -c id -f value)
+    if [ $? -ne 0 ]; then
+        log "$NAME: Get user id for user ${user_name} failed."
+        exit 1
+    fi
+
+    req_url="${OS_AUTH_URL}/users/${user_id}"
+    data_json="{\"user\": {\"options\": {\"${option}\": ${option_value}}}}"
+
+    ret=$(/usr/bin/curl -X PATCH -H "X-Auth-Token: ${token}" \
+            -H "Content-Type: application/json" -d "${data_json}" "${req_url}")
+    if [ $? -ne 0 ]; then
+        log "$NAME: Set ${option} option for user ${user_name} failed."
+        exit 1
+    fi
+    if echo ${ret} | grep '"error"'; then
+        log "$NAME: Set ${option} option for user ${user_name} failed: ${ret}"
+        exit 1
+    fi
+fi
+
+exit 0
+