1489589 – password_regex option in keystone.conf does not work on overcloud

Bug 1489589 - password_regex option in keystone.conf does not work on overcloud

Summary: password_regex option in keystone.conf does not work on overcloud

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assignee:	Angus Thomas
QA Contact:	Amit Ugol
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-07 20:11 UTC by Prasanth Anbalagan
Modified:	2017-09-15 14:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-15 14:52:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1715684	0	None	None	None	2017-09-07 22:10:53 UTC

Description Prasanth Anbalagan 2017-09-07 20:11:34 UTC

***********************
Description of problem:
***********************

password_expire option in keystone.conf works on the undercloud and not on the overcloud. A bug has been opened upstream - https://bugs.launchpad.net/keystone/+bug/1715684


*************************************************************
Version-Release number of selected component (if applicable):
*************************************************************

openstack-keystone.noarch            1:12.0.1-0.20170830123737.6a67918.el7ost
puppet-keystone.noarch               11.3.1-0.20170829134651.131b8d8.el7ost
python-keystone.noarch               1:12.0.1-0.20170830123737.6a67918.el7ost
python-keystoneauth1.noarch          3.1.0-0.20170811112938.81363ec.el7ost
python-keystoneclient.noarch         1:3.13.0-0.20170811140641.a8de72a.el7ost
python-keystonemiddleware.noarch     4.17.0-0.20170821160714.4a72cd6.el7ost

*****************
How reproducible:
*****************

Always 

*******************
Steps to Reproduce:
*******************
Set password_regex to the pattern below (Note that this pattern is from the note section in keystone.conf above 'password_regex' - pattern for at least 1 letter, 1 digit, and have a minimum length of 7 characters)

1) 
$ sudo grep "password_regex" /etc/keystone/keystone.conf
password_regex = ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$

2) Restart httpd
$ sudo service httpd restart

3) $ openstack user create --password-prompt panbalag
User Password:a
Repeat User Password:a
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 12665ec14f73478fa7acc74271f119bd |
| name | panbalag |
| options | {} |
| username | panbalag |
+----------+----------------------------------+

***************
Actual results:
***************

User created successfully

*****************
Expected results:
*****************

"The password does not match the requirements: None. (HTTP 400)"

Comment 1 Prasanth Anbalagan 2017-09-15 14:52:41 UTC

Works as expected after changing the keystone.conf file in the correct location (as it is a containerized deployment)

(overcloud) [heat-admin@controller-0 ~]$ openstack user create --project members --password-prompt user3
User Password:
Repeat User Password:
The passwords entered were not the same
User Password:
Repeat User Password:
The password does not match the requirements: None. (HTTP 400) (Request-ID: req-8ee9bf87-76ef-4788-b6af-5dbba53e43a8)

Note You need to log in before you can comment on or make changes to this bug.