Bug 1489589

Summary: password_regex option in keystone.conf does not work on overcloud
Product: Red Hat OpenStack Reporter: Prasanth Anbalagan <panbalag>
Component: rhosp-directorAssignee: Angus Thomas <athomas>
Status: CLOSED NOTABUG QA Contact: Amit Ugol <augol>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: aschultz, dbecker, mburns, morazi, nkinder, rhel-osp-director-maint
Target Milestone: gaKeywords: Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-15 14:52:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prasanth Anbalagan 2017-09-07 20:11:34 UTC 
***********************
Description of problem:
***********************

password_expire option in keystone.conf works on the undercloud and not on the overcloud. A bug has been opened upstream - https://bugs.launchpad.net/keystone/+bug/1715684


*************************************************************
Version-Release number of selected component (if applicable):
*************************************************************

openstack-keystone.noarch            1:12.0.1-0.20170830123737.6a67918.el7ost
puppet-keystone.noarch               11.3.1-0.20170829134651.131b8d8.el7ost
python-keystone.noarch               1:12.0.1-0.20170830123737.6a67918.el7ost
python-keystoneauth1.noarch          3.1.0-0.20170811112938.81363ec.el7ost
python-keystoneclient.noarch         1:3.13.0-0.20170811140641.a8de72a.el7ost
python-keystonemiddleware.noarch     4.17.0-0.20170821160714.4a72cd6.el7ost

*****************
How reproducible:
*****************

Always 

*******************
Steps to Reproduce:
*******************
Set password_regex to the pattern below (Note that this pattern is from the note section in keystone.conf above 'password_regex' - pattern for at least 1 letter, 1 digit, and have a minimum length of 7 characters)

1) 
$ sudo grep "password_regex" /etc/keystone/keystone.conf
password_regex = ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$

2) Restart httpd
$ sudo service httpd restart

3) $ openstack user create --password-prompt panbalag
User Password:a
Repeat User Password:a
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 12665ec14f73478fa7acc74271f119bd |
| name | panbalag |
| options | {} |
| username | panbalag |
+----------+----------------------------------+

***************
Actual results:
***************

User created successfully

*****************
Expected results:
*****************

"The password does not match the requirements: None. (HTTP 400)"
Comment 1 Prasanth Anbalagan 2017-09-15 14:52:41 UTC 
Works as expected after changing the keystone.conf file in the correct location (as it is a containerized deployment)

(overcloud) [heat-admin@controller-0 ~]$ openstack user create --project members --password-prompt user3
User Password:
Repeat User Password:
The passwords entered were not the same
User Password:
Repeat User Password:
The password does not match the requirements: None. (HTTP 400) (Request-ID: req-8ee9bf87-76ef-4788-b6af-5dbba53e43a8)