Merge "Add special user options for domain user"

2019-05-08 14:44:06 +00:00 · 2019-05-08 14:44:06 +00:00 · 563616967d
commit 563616967d
parent 38e43a0071 d695602397
2 changed files with 18 additions and 2 deletions
--- a/heat/engine/clients/os/keystone/heat_keystoneclient.py
+++ b/heat/engine/clients/os/keystone/heat_keystoneclient.py
@ -328,6 +328,17 @@ class KsClientWrapper(object):
            # FIXME(shardy): Legacy fallback for folks using old heat.conf
            # files which lack domain configuration
            return self.create_stack_user(username=username, password=password)
+        # We are creating automated user, for which most of security
+        # compliance restrictions possibly set in Keystone should not apply,
+        # https://docs.openstack.org/keystone/latest/admin/security-compliance.html
+        # TODO(pas-ha) find a way to deal with password_regex and
+        # disable_user_account_days_inactive
+        # TODO(pas-ha) think if we also need to add lock_password too
+        user_options = {
+            "ignore_change_password_upon_first_use": True,
+            "ignore_password_expiry": True,
+            "ignore_lockout_failure_attempts": True
+        }
        # We add the new user to a special keystone role
        # This role is designed to allow easier differentiation of the
        # heat-generated "stack users" which will generally have credentials
@ -339,7 +350,8 @@ class KsClientWrapper(object):
            # Create user
            user = self.domain_admin_client.users.create(
                name=self._get_username(username), password=password,
-                default_project=project_id, domain=self.stack_domain_id)
+                default_project=project_id, domain=self.stack_domain_id,
+                options=user_options)
            # Add to stack user role
            LOG.debug("Adding user %(user)s to role %(role)s",
                      {'user': user.id, 'role': role_id})
--- a/heat/tests/clients/test_heat_client.py
+++ b/heat/tests/clients/test_heat_client.py
@ -251,6 +251,9 @@ class KeystoneClientTest(common.HeatTestCase):
        ctx = utils.dummy_context()
        self.patchobject(ctx, '_create_auth_plugin')
        ctx.trust_id = None
+        user_options = dict(ignore_password_expiry=True,
+                            ignore_change_password_upon_first_use=True,
+                            ignore_lockout_failure_attempts=True)

        # mock keystone client functions
        self._stub_domain_admin_client()
@ -266,7 +269,8 @@ class KeystoneClientTest(common.HeatTestCase):
            name='duser',
            password=None,
            default_project='aproject',
-            domain='adomain123')
+            domain='adomain123',
+            options=user_options)
        self.mock_ks_v3_client.roles.grant.assert_called_once_with(
            project='aproject',
            role='4546',