Created attachment 1566237 [details] Horizon password change error Description of problem: Upon deploying RHOSP-15 with core_puddle_version = RHOS_TRUNK-15.0-RHEL-8-20190506.n.1 and configuring keystone pod/container using below config so as to check PCI-DSS compliance fails to show the password_regex_description on the Horizon dashboard if user is trying to use new password which does not meet regex requirements. However, the regex description appears only the Openstack Unified CLI when sourced as the test user in my case bear1 pertaining to project teddy. /etc/keystone/keystone.conf [security_compliance] password_regex = ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ password_regex_description = Passwords must contain at least 1 letter, 1 digit, and be a minimum length of 7 characters. (overcloud) [stack@undercloud-0 ~]$ openstack project create teddy (overcloud) [stack@undercloud-0 ~]$ openstack user create --password-prompt --project teddy --enable bear1 (overcloud) [stack@undercloud-0 ~]$ openstack role add --project teddy --user bear1 _member_ Trying to change password from CLI and my password was ‘1234’ which did not adhere to regex requirements configured above yields below message. (overcloud) [stack@undercloud-0 ~]$ openstack user password set --password 1234 Current Password: The password does not match the requirements: Passwords must contain at least 1 letter, 1 digit, and be a minimum length of 7 characters.. (HTTP 400) (Request-ID: req-986ccec2-57b5-4e26-a89c-e70e37d9a892) (overcloud) [stack@undercloud-0 ~]$ Trying to change password from Horizon dashboard: shows red label with message “Error: Unable to change password.” Description on the page reads “Change your password. We highly recommend you create a strong one.” Attached is the screenshot to see it visually. A user would expect to see the password requirements description if not met on trying to change it via the Horizon Dashboard. Version-Release number of selected component (if applicable): RHOSP-15 How reproducible: Deploy RHOS_TRUNK-15.0-RHEL-8 Steps to Reproduce: 1. Configure keystone container/pod with password_regex and password_regex_description shown above 2. Create test project and user 3. Try changing password with one that does not meet regex requirements from Horizon dashboard Actual results: “Error: Unable to change password.” Description on the page reads “Change your password. We highly recommend you create a strong one.” Expected results: Displays error "unable to change password" and also includes the password_regex_description as in "Passwords must contain at least 1 letter, 1 digit, and be a minimum length of 7 characters." Additional info:
Adding DFG:UI for review. I'm not sure if this should be considered a bug or an RFE. While we maintain the ability to enforce complex password requirements, the user experience through Horizon is not ideal here. Not adding the FutureFeature keyword per ^^ but curious about UI team's thoughts.
I agree that this would be a feature request. I assume that Keystone has some kind of API by which Horizon could retrieve that description?
Moving DFG:Security to Devel Whiteboard for now as this appears to be a new feature in the UI side.
So as far as I was able to determine, the only way of getting the password_regex_description string from Nova is through an error message returned when the password doesn't match the regex. I see no way of getting this before actually attempting to change the password, so there is no way for us to display it. What we could do is have a corresponding Horizon setting where the same string could be configured. It would then be the responsibility of the administrator to make sure both settings are consistent.
It would be great to get any feedback on that from the security DFG. Are there plans to add such an API to keystone? If not, is the proposed solution acceptable?
The submitted patch makes Horizon include the password_regex_description in the error message displayed to the user. Unfortunately we have no way of translating it to the user's language, so it may still be unhelpful.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283